Replying to both: On Sat, Mar 30, 2024 at 06:59:16PM +0800, Maytham Alsudany wrote: > On Sat, 2024-03-30 at 09:48 +0100, Simon Josefsson wrote: > > Maytham Alsudany <maytha8the...@gmail.com> writes: > > > > > https://salsa.debian.org/go-team/packages/golang-github-go-git-go-git-fixtures > > > > I looked at this update, and one of the proposed changes is to include > > all of the pre-generated stuff from here: > > Previous versions of the package also include this test data.
Right. > > https://github.com/go-git/go-git-fixtures/tree/master/data > > > > directly into the installed Debian package. Given the recent xz fiasco, > > I have doubts that this is a good idea -- there is a bunch of > > pre-generated compressed git repositories in that directory, and I don't > > see any way to re-create them from scratch. They seem to have been > > manually curated by some developer in the past and then compressed and > > uploaded, somewhat similar to how the xz problem happened. At this rate, we will end up pruning a bunch of stuff from Debian. I don't think it is wise to remove a package just because of paranoia without fact-checking. I would at least check with the upstream developer once. Just saying. Note that I don't have the time nor the interest to argue with you. I'll just say 'you do you'. > They can be decoded though to reveal the source; each tgz archive contains a > bare git repo, which can be converted into a normal git repo using the method > outlined at [1]. > > We can regenerate them manually, but it will take a bit of time to do so. What > I'm thinking is decompressing each repo archive, and converting the commits > into a series of patches, accompanied by a shell script or something that can > turn the patches into a Git repo with the correct branches, tags, etc. That does seem like a good approach, but quite some work - sure. > Alternatively (in the long-term), we can drop the whole fixtures package as > you > suggested, and rewrite the tests in go-git so that Git is used to generate the > test repos in the first place (using a Makefile or 'go generate'). > > > Dropping these files may mean we don't test as much of go-git that is > > possible to test, but the alternative that we create a vector to inject > > binaries with no source code into Debian seems worse. > > > > Could you modify this package to drop any files that we cannot re-create > > during the build? Maybe the entire package becomes useless, if so, then > > we should just remove it IMHO. > > RM bug filed. In such cases, you need to consult the uploader. Please never file RM bugs without taking permission from uploader or maintainer (if it is an individual) of a package. Do note that it has 2 reverse-depends, which need to be fixed before the removal happens, else they start to FTBFS. | $ reverse-depends golang-github-go-git-go-git-fixtures-dev -b | Reverse-Build-Depends | ===================== | * golang-github-go-git-go-git | * golang-github-jesseduffield-go-git Best, Nilesh
signature.asc
Description: PGP signature