Hi, [...]
Since I'd be sad to see fever go, I would be happy to package a more recent version of go-pg (e.g. 10.15.0 which should not be affected by the CVE open as a bug on the current package [1]) and ensure that fever can build with that, also updating the dependency there. We should then be fine to remove v5 from unstable and forky once the new version of go-pg has passed NEW.Would that be OK with you?yes that soulds like a good plan, so let's defer the removal of golang-gopkg-pg.v5 for when we have a newer version packaged and ensured fever can work with it, move to it, and then get golang-gopkg-pg.v5 removed.
Quick update: Instead I opted for moving FEVER upstream to the currently better supported pgx library, removing its dependency on go-pg.v5 as well. See my last upload of v1.4.0 to unstable.
Is there anything else now in the way of removing go-pg.v5 from unstable/forky? I have tried to list reverse build-dependencies but all I got was:
❯ apt-rdepends --build-depends -r golang-gopkg-pg.v5-dev E: Reverse build-dependencies are not supportedso if you have any more insight I'd be interested to hear if there's another one.
Cheers Sascha I
OpenPGP_signature.asc
Description: OpenPGP digital signature
