[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: seeking review of golang-github-hashicorp-go-version v1.8.0

Hello Andrew,

I'd say that you have done the proper due diligence and that it's fine
to go ahead and upload to unstable.  If anyone notices anything amiss,
we can always file an RC-severity bug to prevent migration to testing.

Cheers,
tony

On Wed, Mar 04, 2026 at 12:51:20PM +0100, Andrew Lee wrote:
> Hello Fede and others,
> 
> I am also new to the build-reverse-dependencies via salsa-ci stuff.
> 
> I just forked the project and then ran build-reverse-dependencies via
> salsa-ci under my namespace.
> 
> However, I got only 13 reverse-dependencies:
>   https://salsa.debian.org/ajqlee/golang-github-hashicorp-go-version/-/pipelines/1036826
> 
> And my salsa-ci pipeline uses this recipes:
>   https://salsa.debian.org/ajqlee/pipeline/-/blob/master/debian-go-ratt.yml
> 
> Please let me know if it's okay to upload for Federico as all the 13
> reverse-dependencies builds.
> Or correct me if I missed something.
> 
> Best regards,
> -Andrew
> 
> On Tue, Mar 3, 2026 at 2:38 AM Federico Grau <donfede@casagrau.org> wrote:
> >
> > * bump *
> >
> > Checking again per next steps to upload v1.8.0 of golang-github-hashicorp-go-version
> > to unstable.
> >
> > I had updated the copyright and performed my attempts at reverse build checks
> > that appeared mostly ok.
> >
> > Welcome guidance on additional steps I should take or other constructive
> > feedback.
> >
> > Respectfully,
> > donfede
> >
> > Fede Grau
> >
> >
> > On Thu, Jan 29, 2026 at 07:14:27PM -0500, Federico Grau wrote:
> > > Hello --
> > >
> > > Kind thanks for the OOB feedback.  I have updated debian/copyright of
> > > golang-github-hashicorp-go-version to match their upstream changes circa
> > > 2025-11.
> > >
> > > Checking per next steps to upload v1.8.0 of golang-github-hashicorp-go-version
> > > to unstable.
> > >
> > > Regards,
> > > donfede
> > >
> > > Fede Grau
> > >
> > >
> > > On Tue, Jan 27, 2026 at 07:57:43PM -0500, Federico Grau wrote:
> > > >
> > > > Greetings again debian-go team --
> > > >
> > > >
> > > > I've completed "ratt" (0.0~git20250829.39528ce-1+b1) runs for
> > > > golang-github-hashicorp-go-version in my local build environment.
> > > >
> > > > It reports 19/20 reverse dependencies build OK, and errors with
> > > > "go-cve-dictionary".  I have not pursued the go-cve-dictionary errors (and am
> > > > not sure I'm the right person for that; at least for a couple months, while I
> > > > finish "pat" updates).
> > > >
> > > > What might be the next best steps to progress
> > > > golang-github-hashicorp-go-version v1.8.0 to unstable (or alt path)?  Should a
> > > > bug report be filed for go-cve-dictionary or some email notice sent?  Both
> > > > packages are maintained by the Debian Go Packaging Team.
> > > >
> > > >     https://tracker.debian.org/pkg/go-cve-dictionary
> > > >
> > > >     https://tracker.debian.org/pkg/golang-github-hashicorp-go-version
> > > >
> > > >     https://manpages.debian.org/unstable/ratt/ratt.1.en.html
> > > >
> > > >
> > > > While I don't understand salsa.d.o gitlab CI very well, I had attempted to run
> > > > a reverse dependency check on golang-github-hashicorp-go-version, which seemed
> > > > to report a much higher number of reverse dependencies -- ~342 vs 20 by
> > > > ratt?!?  It's possible I erred submitting the job or misinterpreted the
> > > > output.
> > > >
> > > >     https://salsa.debian.org/go-team/packages/golang-github-hashicorp-go-version/-/jobs/8894428
> > > >
> > > >     https://salsa.debian.org/salsa-ci-team/pipeline/#build-reverse-dependencies
> > > >
> > > >
> > > > I welcome constructive feedback or suggested guidance on next steps, and also
> > > > recognize other tasks may have priority near term.
> > > >
> > > >
> > > > Best,
> > > > donfede
> > > >
> > > > Fede Grau
> > > >
> > > >
> > > > On Wed, Jan 21, 2026 at 08:41:46PM -0500, Federico Grau wrote:
> > > > >
> > > > > Many thanks again for the constructive feedback Simon,
> > > > >
> > > > >
> > > > > (pardon my delayed response, I've been balancing other tasks)
> > > > >
> > > > >
> > > > > While I appreciate the feedback, this go-version effort is presenting some new
> > > > > scenarios to me, and I have some question responses before making more
> > > > > changes.
> > > > >
> > > > >
> > > > > a) debian/copyright
> > > > >
> > > > > While I was reviewing the go-version git diffs, I had observed "IBM" added as
> > > > > a copyright owner to upstream files ... but admit not understanding how to
> > > > > best proceed, and erroneously extended the debian/copyright years for the
> > > > > original author.
> > > > >
> > > > > Looking over the upstream git repo closer today, it seems circa 2025-Nov-03
> > > > > that IBM copyright replaced previous Hashicorp copyrights for 2025 and also
> > > > > backdated to 2014.  The license remains the same (MPL-2.0).
> > > > >
> > > > >     https://github.com/hashicorp/go-version/commit/9325934670def5fb8afc1eb866fbbeba243f02ce
> > > > >
> > > > >     https://github.com/hashicorp/go-version/commit/0824a8987d8bc2b76c928ccea7d8a4a4f0b6c9e0
> > > > >
> > > > > *** Should debian/copyright likewise be edited, removing past references to
> > > > > "Mitchell Hashimoto <mitchell.hashimoto@gmail.com>" and replacing them with
> > > > > "IBM Corp." or something else? ***
> > > > >
> > > > >
> > > > >
> > > > > b) ratt - reverse build tests
> > > > >
> > > > > I had not previously used ratt, but will explore it following the links below.
> > > > > Skimming the github page this looks like something I can test/run in my local
> > > > > build environment (gbp, sbuild).  How would salsa CI fit into this, not clear
> > > > > what job to start or study?
> > > > >
> > > > >     https://manpages.debian.org/unstable/ratt/ratt.1.en.html
> > > > >
> > > > >     https://github.com/Debian/ratt
> > > > >
> > > > >
> > > > >
> > > > > c) upstream code changes?   "Looks like some potential for API difficulties,"
> > > > >
> > > > > I had read through the code changes via git diff, but am not an expert golang
> > > > > coder and may be overextending myself.
> > > > >
> > > > >
> > > > > Trying to look over these code and potential API changes closer, they seem
> > > > > mostly compatible but I'm still unclear if they may cause issues with other
> > > > > packages.  Hopefully ratt will help.
> > > > >
> > > > >  - new BenchmarkVersionString() functions should not be an issue
> > > > >  - new Scan() functions for sql.Scanner should not be an issue
> > > > >  - new constraintRegexp() functions are added, and constraintOperators var
> > > > >    removed; unclear if this is publicly exposed
> > > > >  - new getVersionRegexp() appears to return a similar type as old var
> > > > >  - new equalSegments() function does not look like an issue
> > > > >
> > > > >
> > > > >  # upstream CHANGELOG.md lists:
> > > > >  v1.8.0
> > > > >  - Add benchmark test for version.String() in https://github.com/hashicorp/go-version/pull/159
> > > > >  - Bytes implementation in https://github.com/hashicorp/go-version/pull/161
> > > > >
> > > > >  v1.7.0
> > > > >  - Remove `reflect` dependency ([#91](https://github.com/hashicorp/go-version/pull/91))
> > > > >  - Implement the `database/sql.Scanner` and `database/sql/driver.Value` interfaces for `Version` ([#133](https://github.com/hashicorp/go-version/pull/133))
> > > > >
> > > > >  v1.6.0 - current Debian package
> > > > >
> > > > >
> > > > >
> > > > > Regards,
> > > > > donfede
> > > > >
> > > > >
> > > > > On Fri, Jan 16, 2026 at 05:17:14PM +0100, Simon Josefsson wrote:
> > > > > > Upstream added a copyright notice:
> > > > > >
> > > > > > https://salsa.debian.org/go-team/packages/golang-github-hashicorp-go-version/-/commit/a9da87e466345495e4bc89d5f38f5861aecc30cc#0398ccd0f49298b10a3d76a47800d2ebecd49859_1_1
> > > > > >
> > > > > > You need to add it to debian/copyright.
> > > > > >
> > > > > > Otherwise looks good to me, but a reverse rebuild is necessary here.
> > > > > > Did you try ratt?
> > > > > >
> > > > > > We have used Salsa CI for this a couple of times for migrations, it has
> > > > > > a 100 job limit.  So please start a job like that.  Did you review
> > > > > > upstream code changes?   Looks like some potential for API difficulties,
> > > > > > but let's hope for the best...
> > > > > >
> > > > > > /Simon
> > > > > >
> > > > > > Federico Grau <donfede@casagrau.org> writes:
> > > > > >
> > > > > > > Hello again debian-go team --
> > > > > > >
> > > > > > >
> > > > > > > I've updated package golang-github-hashicorp-go-version on salsa.d.o from
> > > > > > > v1.6.0 to v1.8.0 .
> > > > > > >
> > > > > > >     https://tracker.debian.org/pkg/golang-github-hashicorp-go-version
> > > > > > >
> > > > > > >
> > > > > > > This is a dependency of the `pat' package I've been collaborating on.
> > > > > > >
> > > > > > >     https://lists.debian.org/debian-go/2025/12/msg00012.html
> > > > > > >
> > > > > > >     https://tracker.debian.org/pkg/pat
> > > > > > >
> > > > > > >
> > > > > > > The upstream changes were relatively minor.
> > > > > > >
> > > > > > > I also made some minor debian updates (standards [no changes], copyright
> > > > > > > years, watch [format v3 to v5 using uscan generator]).  My review and testing
> > > > > > > appear ok.
> > > > > > >
> > > > > > > However, checking the reverse dependencies there appear to be ~342 other
> > > > > > > packages using golang-github-hashicorp-go-version.  I do not want to create
> > > > > > > issues.
> > > > > > >
> > > > > > >     https://salsa.debian.org/salsa-ci-team/pipeline/#build-reverse-dependencies
> > > > > > >
> > > > > > >
> > > > > > > As there are cycles I welcome review and constructive feedback if corrections
> > > > > > > are needed.  If all is well may the package be upload to unstable?
> > > > > > >
> > > > > > >
> > > > > > > Regards,
> > > > > > > donfede
> > > > > > >
> > > > > > > Fede Grau
> >
> >
> 
> 
> --
> -Andrew
Reply to: