[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pkcs7



On Mon, Mar 17, 2025 at 6:42 PM Simon Josefsson <simon@josefsson.org> wrote:
All,

We now have the maintained fork in Debian:

https://tracker.debian.org/pkg/golang-github-smallstep-pkcs7

I think all packages below could be migrate to it.  Upstream seems
supportive to make that happen.

But I'm not sure it is a good idea to start on this now... we are
getting closer to the release.  Thoughts?  I worry that if we are not
able to make all uses go away, then we are almost worse off than before.
So maybe we should just fix the RC bugs in those two unmaintained
packages.

I personally agree that we should proceed, but it does technically fall into the category "transition freeze" cf. https://release.debian.org/testing/freeze_policy.html#transition. However, I think we should ask the release team for their opinion. To make it easier for them, we should provide them with background and the maintenance status of the libraries.

Did you check whether the API has changed? Your idea to provide (by building a transitional package with the old name -- I don't think using the "Provides" package relationship would do in this case) the old package name can be useful to check whether introducing the fork would require code changes in downstream packages. If we can demonstrate that this switch is not causing build issues, that would instill confidence in this transition.


-rt
 

The code between these three packages is similar though, so migration
could be simple.

The new golang-github-smallstep-pkcs7 package could do something to make
it easier to migrate to it, but right now you need to rebuild all
packages below with a patch that changes the Build-Depends in
debian/control and also a patch to change the import namespace in code
using it.

We could start asking upstreams of the packages below to consider
migrate to golang-github-smallstep-pkcs7 as well.  If there is pushback
(rather than silence/ignorance) we may learn something.

/Simon

jas@kaka:~/dpkg$ ssh mirror.ftp-master.debian.org "dak rm -Rn -b golang-github-fullsailor-pkcs7-dev golang-github-digitorus-pkcs7-dev"
Will remove the following packages from unstable:

golang-github-digitorus-pkcs7-dev | 0.0~git20230818.3a137a8-2 | all
golang-github-fullsailor-pkcs7-dev | 0.0~git20210826.33d0574-3 | all

Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>

------------------- Reason -------------------

----------------------------------------------

Checking reverse dependencies...
# Broken Depends:
golang-github-containers-ocicrypt: golang-github-containers-ocicrypt-dev
golang-github-digitorus-timestamp: golang-github-digitorus-timestamp-dev
golang-github-micromdm-scep: golang-github-micromdm-scep-dev
golang-github-sigstore-timestamp-authority: golang-github-sigstore-timestamp-authority-dev
golang-github-smallstep-certificates: golang-github-smallstep-certificates-dev
sigstore-go: golang-github-sigstore-sigstore-go-dev

# Broken Build-Depends:
gitlab-ci-multi-runner: golang-github-fullsailor-pkcs7-dev
golang-github-containers-image: golang-github-fullsailor-pkcs7-dev
golang-github-containers-ocicrypt: golang-github-fullsailor-pkcs7-dev
golang-github-digitorus-timestamp: golang-github-digitorus-pkcs7-dev
golang-github-foxboron-go-uefi: golang-github-fullsailor-pkcs7-dev
golang-github-micromdm-scep: golang-github-fullsailor-pkcs7-dev (0.0~git20210826.33d0574~ >=)
golang-github-sigstore-timestamp-authority: golang-github-digitorus-pkcs7-dev
golang-github-smallstep-certificates: golang-github-fullsailor-pkcs7-dev
podman: golang-github-fullsailor-pkcs7-dev

Dependency problem found.

jas@kaka:~/dpkg$


--
regards,
    Reinhard
Reply to: