Your message dated Wed, 12 Mar 2025 03:32:19 +0000
with message-id <[email protected]>
and subject line Bug#1099739: Removed package(s) from unstable
has caused the Debian Bug report #1096174,
regarding keep golang-github-jesseduffield-go-git out of testing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1096174: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1096174
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: golang-github-jesseduffield-go-git
Severity: serious
Hi
I did an upstream upload of go-git to fix some security vulnerabilities
for trixie:
https://tracker.debian.org/pkg/golang-github-go-git-go-git
However I today realized that we have a old fork of that project that
still have the security vulnerability:
https://tracker.debian.org/pkg/golang-github-jesseduffield-go-git
According to upstream github, this package is 6 commits ahead but 701
commits behind https://github.com/go-git/go-git -- the added commits are
here:
https://github.com/go-git/go-git/compare/master...jesseduffield:go-git:master
This looks like an abandonened fork to me, one with known security
vulnerabilities coming from its upstream. Am I reading this right?
Fortunatately this project doesn't seem to have any reverse dependencies
in Debian (see dak output below). I don't think this package should be
shipped in trixie, so I'm opening this bug report to trigger this. Does
anyone disagree?
/Simon
$ ssh mirror.ftp-master.debian.org "dak rm -Rn
golang-github-jesseduffield-go-git"
Will remove the following packages from unstable:
golang-github-jesseduffield-go-git | 5.1.2+git20221018.fdd53fe-1.1 | source
golang-github-jesseduffield-go-git-dev | 5.1.2+git20221018.fdd53fe-1.1 | all
Maintainer: Debian Go Packaging Team <[email protected]>
------------------- Reason -------------------
----------------------------------------------
Checking reverse dependencies...
No dependency problem found.
$
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 5.1.2+git20221018.fdd53fe-1.1+rm
Dear submitter,
as the package golang-github-jesseduffield-go-git has just been removed from
the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1099739
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Paul Tagliamonte (the ftpmaster behind the curtain)
--- End Message ---
