Greetings again debian-go team --
I've completed "ratt" (0.0~git20250829.39528ce-1+b1) runs for
golang-github-hashicorp-go-version in my local build environment.
It reports 19/20 reverse dependencies build OK, and errors with
"go-cve-dictionary". I have not pursued the go-cve-dictionary errors (and am
not sure I'm the right person for that; at least for a couple months, while I
finish "pat" updates).
What might be the next best steps to progress
golang-github-hashicorp-go-version v1.8.0 to unstable (or alt path)? Should a
bug report be filed for go-cve-dictionary or some email notice sent? Both
packages are maintained by the Debian Go Packaging Team.
https://tracker.debian.org/pkg/go-cve-dictionary
https://tracker.debian.org/pkg/golang-github-hashicorp-go-version
https://manpages.debian.org/unstable/ratt/ratt.1.en.html
While I don't understand salsa.d.o gitlab CI very well, I had attempted to run
a reverse dependency check on golang-github-hashicorp-go-version, which seemed
to report a much higher number of reverse dependencies -- ~342 vs 20 by
ratt?!? It's possible I erred submitting the job or misinterpreted the
output.
https://salsa.debian.org/go-team/packages/golang-github-hashicorp-go-version/-/jobs/8894428
https://salsa.debian.org/salsa-ci-team/pipeline/#build-reverse-dependencies
I welcome constructive feedback or suggested guidance on next steps, and also
recognize other tasks may have priority near term.
Best,
donfede
Fede Grau
On Wed, Jan 21, 2026 at 08:41:46PM -0500, Federico Grau wrote:
>
> Many thanks again for the constructive feedback Simon,
>
>
> (pardon my delayed response, I've been balancing other tasks)
>
>
> While I appreciate the feedback, this go-version effort is presenting some new
> scenarios to me, and I have some question responses before making more
> changes.
>
>
> a) debian/copyright
>
> While I was reviewing the go-version git diffs, I had observed "IBM" added as
> a copyright owner to upstream files ... but admit not understanding how to
> best proceed, and erroneously extended the debian/copyright years for the
> original author.
>
> Looking over the upstream git repo closer today, it seems circa 2025-Nov-03
> that IBM copyright replaced previous Hashicorp copyrights for 2025 and also
> backdated to 2014. The license remains the same (MPL-2.0).
>
>
> https://github.com/hashicorp/go-version/commit/9325934670def5fb8afc1eb866fbbeba243f02ce
>
>
> https://github.com/hashicorp/go-version/commit/0824a8987d8bc2b76c928ccea7d8a4a4f0b6c9e0
>
> *** Should debian/copyright likewise be edited, removing past references to
> "Mitchell Hashimoto <[email protected]>" and replacing them with
> "IBM Corp." or something else? ***
>
>
>
> b) ratt - reverse build tests
>
> I had not previously used ratt, but will explore it following the links below.
> Skimming the github page this looks like something I can test/run in my local
> build environment (gbp, sbuild). How would salsa CI fit into this, not clear
> what job to start or study?
>
> https://manpages.debian.org/unstable/ratt/ratt.1.en.html
>
> https://github.com/Debian/ratt
>
>
>
> c) upstream code changes? "Looks like some potential for API difficulties,"
>
> I had read through the code changes via git diff, but am not an expert golang
> coder and may be overextending myself.
>
>
> Trying to look over these code and potential API changes closer, they seem
> mostly compatible but I'm still unclear if they may cause issues with other
> packages. Hopefully ratt will help.
>
> - new BenchmarkVersionString() functions should not be an issue
> - new Scan() functions for sql.Scanner should not be an issue
> - new constraintRegexp() functions are added, and constraintOperators var
> removed; unclear if this is publicly exposed
> - new getVersionRegexp() appears to return a similar type as old var
> - new equalSegments() function does not look like an issue
>
>
> # upstream CHANGELOG.md lists:
> v1.8.0
> - Add benchmark test for version.String() in
> https://github.com/hashicorp/go-version/pull/159
> - Bytes implementation in https://github.com/hashicorp/go-version/pull/161
>
> v1.7.0
> - Remove `reflect` dependency
> ([#91](https://github.com/hashicorp/go-version/pull/91))
> - Implement the `database/sql.Scanner` and `database/sql/driver.Value`
> interfaces for `Version`
> ([#133](https://github.com/hashicorp/go-version/pull/133))
>
> v1.6.0 - current Debian package
>
>
>
> Regards,
> donfede
>
>
> On Fri, Jan 16, 2026 at 05:17:14PM +0100, Simon Josefsson wrote:
> > Upstream added a copyright notice:
> >
> > https://salsa.debian.org/go-team/packages/golang-github-hashicorp-go-version/-/commit/a9da87e466345495e4bc89d5f38f5861aecc30cc#0398ccd0f49298b10a3d76a47800d2ebecd49859_1_1
> >
> > You need to add it to debian/copyright.
> >
> > Otherwise looks good to me, but a reverse rebuild is necessary here.
> > Did you try ratt?
> >
> > We have used Salsa CI for this a couple of times for migrations, it has
> > a 100 job limit. So please start a job like that. Did you review
> > upstream code changes? Looks like some potential for API difficulties,
> > but let's hope for the best...
> >
> > /Simon
> >
> > Federico Grau <[email protected]> writes:
> >
> > > Hello again debian-go team --
> > >
> > >
> > > I've updated package golang-github-hashicorp-go-version on salsa.d.o from
> > > v1.6.0 to v1.8.0 .
> > >
> > > https://tracker.debian.org/pkg/golang-github-hashicorp-go-version
> > >
> > >
> > > This is a dependency of the `pat' package I've been collaborating on.
> > >
> > > https://lists.debian.org/debian-go/2025/12/msg00012.html
> > >
> > > https://tracker.debian.org/pkg/pat
> > >
> > >
> > > The upstream changes were relatively minor.
> > >
> > > I also made some minor debian updates (standards [no changes], copyright
> > > years, watch [format v3 to v5 using uscan generator]). My review and
> > > testing
> > > appear ok.
> > >
> > > However, checking the reverse dependencies there appear to be ~342 other
> > > packages using golang-github-hashicorp-go-version. I do not want to
> > > create
> > > issues.
> > >
> > >
> > > https://salsa.debian.org/salsa-ci-team/pipeline/#build-reverse-dependencies
> > >
> > >
> > > As there are cycles I welcome review and constructive feedback if
> > > corrections
> > > are needed. If all is well may the package be upload to unstable?
> > >
> > >
> > > Regards,
> > > donfede
> > >
> > > Fede Grau
> > >
>
signature.asc
Description: PGP signature
