Bug#995171: [Help] Re: Bug#995171: need newer release
Am Thu, Jan 27, 2022 at 06:23:08PM +0530 schrieb Nilesh Patra:
> > is not the case for the latest
> > version of golang-github-vbauerster-mpb-dev:> [...]
> > -o ./singularity /build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/cmd/singularity
> > ../internal/app/singularity/push.go:23:2: cannot find package "github.com/vbauerster/mpb/v4" in any of:
> That's because if you look in singularity's go.mod, it depends on both versions of this package (v4 and v6)
> see here
> Ideally, it should have different versioned 'XS-Go-Import-Path' for all versions. For instance as done in
> blackfriday package see here
> So as far as I can tell, you could do the following:
> a) Package different versions of both with correct import paths, upload to new and then
> add B-D on these.
I admit this sounds technically clean but I would like to fix the CVEs
in singularity-container rather sooner than later and passing NEW queue
is not promising regarding a quick fix.
> b) (Not highly) recommended) Vendor the old version of golang-github-vbauerster-mpb in the vendor directory and use
> that to build. This is messy but would solve the issue. There's already a vendor dir in that package which already
> gets a bunch of stuff, so this might not be much worse.
Amongst your suggestions this sounds like the most probable *I* feel
able to implement. I would love if someone might beat me with a
> c) Port code to the version 7 of this package (which you uploaded)
I've never written a line of code in Go - so this is not for me.
I'd also think this should rather be done upstream.
> d) Revert your upload to version 6 (where it was earlier) and port the code written with version 4 to 6
This will not be sufficient since also version 7 is needed (according
to the docs as well as according to the error message if you build
against version 6.
> > Since I'm not a Go programmer I wonder whether somebody could give
> > some helpful hint how to fix this.
> Me neither, but hopefully that helped a bit?
It gave me some interesting ideas and might hopefully inspire others
to step in in case option b) sound to ugly.
> > PS: I'm not subscribed to debian-go list. Please keep the bug report
> > in CC.
> Hope I did enough to reach out to you :-))
You did! ;-)
> >  https://salsa.debian.org/hpc-team/singularity-container
> >  https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2403226
> : https://salsa.debian.org/hpc-team/singularity-container/-/blob/master/go.mod#L48-49
> : https://salsa.debian.org/go-team/packages/golang-blackfriday/-/blob/debian/sid/debian/control#L18
> : https://salsa.debian.org/go-team/packages/golang-blackfriday-v2/-/blob/debian/sid/debian/control#L17
> : https://blog.gopheracademy.com/advent-2015/vendor-folder/