On Thu, Aug 03, 2023 at 01:28:44AM +0200, Tom Payne wrote:
> I, and chezmoi's users, would love for chezmoi to be included in Debian.
> There's an existing Debian bug for this
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012721>, and an existing
> issue in the chezmoi repo <https://github.com/twpayne/chezmoi/issues/2130>.
As per the Bug report, Ryan is working on it so I've kept them in CC.
> What is tricky is that chezmoi has regular releases
> <https://www.chezmoi.io/reference/release-history/> (roughly, a minor
> version every two weeks), including fixing security problems
Are security problems relatively frequent?
They're every month or so. For example, Go 1.19 has had twelve patch releases to address security problems since it's release on year ago. Of course, not all of these affect chezmoi.
Security problems in other dependencies are less frequent, maybe a few per year. I have a scheduled daily govulncheck run and fix problems as soon as I can, usually within a few hours.
If so, do note that the debian release cycle may have quirks with
the same. Debian is released once in ~2 years and the stable version
needs support for ~3 years. Except for very urgent cases, packages
are not updated in stable.
If a security bug hits the version in stable, do you find it a possibility
to support backporting security patches?
Yes-ish. Go itself only supports security fixes up to ~1 year, so I'm not sure how chezmoi (or Debian) can do better than that. Are you backporting security fixes from Go 1.20.7 (which has a recent security fix) to Go 1.15 (which was released ~3 years ago)?
Note that chezmoi runs without elevated privileges and primarily shuffles files around in the user's home directory, downloads things over HTTP and git, and runs the occasional user-defined script, so its attack surface is fairly limited. In practice, security vulnerabilities will be in the various network client libraries that chezmoi uses, assuming the attacker can trick the user into communicating with a malicious server.
> and updating
> dependencies, that make it effectively impossible for Debian packaging to
> follow.
Are _major_ version changes in the dependencies a frequent occurence?
I probably do about a ten major version changes per year. However minor and patch version bumps also cause problems, for example:
I know that the underlying problem here is that these maintainers have not used semantic versioning correctly, but maintainers are human and therefore make mistakes, so you cannot rely on semantic versions being correct.
> Would you consider accepting chezmoi as a vendored package, as happened
> with Kubernetes
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971515#172>?
I find it unlikely but I think a mix of vendored libs and system
packages can make it work. Many packages follow similar methods.
What do I need to do to enable this mix? I read the
Debian Go packaging page but could not find any mention of it. Would vendoring-in chezmoi's dependencies be sufficient from upstream (i.e. me)?
Many thanks again for considering this,
Tom