On Tue, 2025-10-28 at 20:23 +0000, Martina Ferrari wrote: > I wanted to mention that most of the packages in the pkg-go team are > maintained like this: nobody really "owns" the packages, and we put > our own names only when first packaging it or when doing very > substantial work, so almost all uploads are team uploads.
True, and that makes it much easier to apply patches/fixes without resorting to NMUs through the delayed queue. > Another important thing is that Notary is a build-dependency for some > important packages, in particular docker.io and prometheus and many > other go packages are currently marked for auto-removal because of > this bug. So we cannot RM notary until those other packages are > updates to remove the dependency. We're probably about 1.25 years from the forky freezes beginning, and I would argue this is a perfect time to file Severity: serious bugs for packages with dead upstreams, especially for security-related packages. This gives packages with a build-dependency on it plenty of heads up and time to sort out the dependency issues before we get too close to a release freeze cycle starting. The auto-removal is only from testing, and early in a development cycle, it doesn't really matter. If anything, it might motivate people interested in a package (like docker.io) to spend time working with upstream and/or updating its version in Debian so it will be present in testing in time for the freezes. > Would you agree to lower the severity of the bug and keep it as a to- > do? I won't stand in the way of someone else lowering this bug's severity, but if I need to apply another Debian-specific patch to update a dependency or we go a full year with no real progress I reserve the right to re-raise the severity. :) Mathias
signature.asc
Description: This is a digitally signed message part
