Hello -- Kind thanks for the OOB feedback. I have updated debian/copyright of golang-github-hashicorp-go-version to match their upstream changes circa 2025-11.
Checking per next steps to upload v1.8.0 of golang-github-hashicorp-go-version to unstable. Regards, donfede Fede Grau On Tue, Jan 27, 2026 at 07:57:43PM -0500, Federico Grau wrote: > > Greetings again debian-go team -- > > > I've completed "ratt" (0.0~git20250829.39528ce-1+b1) runs for > golang-github-hashicorp-go-version in my local build environment. > > It reports 19/20 reverse dependencies build OK, and errors with > "go-cve-dictionary". I have not pursued the go-cve-dictionary errors (and am > not sure I'm the right person for that; at least for a couple months, while I > finish "pat" updates). > > What might be the next best steps to progress > golang-github-hashicorp-go-version v1.8.0 to unstable (or alt path)? Should a > bug report be filed for go-cve-dictionary or some email notice sent? Both > packages are maintained by the Debian Go Packaging Team. > > https://tracker.debian.org/pkg/go-cve-dictionary > > https://tracker.debian.org/pkg/golang-github-hashicorp-go-version > > https://manpages.debian.org/unstable/ratt/ratt.1.en.html > > > While I don't understand salsa.d.o gitlab CI very well, I had attempted to run > a reverse dependency check on golang-github-hashicorp-go-version, which seemed > to report a much higher number of reverse dependencies -- ~342 vs 20 by > ratt?!? It's possible I erred submitting the job or misinterpreted the > output. > > > https://salsa.debian.org/go-team/packages/golang-github-hashicorp-go-version/-/jobs/8894428 > > > https://salsa.debian.org/salsa-ci-team/pipeline/#build-reverse-dependencies > > > I welcome constructive feedback or suggested guidance on next steps, and also > recognize other tasks may have priority near term. > > > Best, > donfede > > Fede Grau > > > On Wed, Jan 21, 2026 at 08:41:46PM -0500, Federico Grau wrote: > > > > Many thanks again for the constructive feedback Simon, > > > > > > (pardon my delayed response, I've been balancing other tasks) > > > > > > While I appreciate the feedback, this go-version effort is presenting some > > new > > scenarios to me, and I have some question responses before making more > > changes. > > > > > > a) debian/copyright > > > > While I was reviewing the go-version git diffs, I had observed "IBM" added > > as > > a copyright owner to upstream files ... but admit not understanding how to > > best proceed, and erroneously extended the debian/copyright years for the > > original author. > > > > Looking over the upstream git repo closer today, it seems circa 2025-Nov-03 > > that IBM copyright replaced previous Hashicorp copyrights for 2025 and also > > backdated to 2014. The license remains the same (MPL-2.0). > > > > > > https://github.com/hashicorp/go-version/commit/9325934670def5fb8afc1eb866fbbeba243f02ce > > > > > > https://github.com/hashicorp/go-version/commit/0824a8987d8bc2b76c928ccea7d8a4a4f0b6c9e0 > > > > *** Should debian/copyright likewise be edited, removing past references to > > "Mitchell Hashimoto <[email protected]>" and replacing them with > > "IBM Corp." or something else? *** > > > > > > > > b) ratt - reverse build tests > > > > I had not previously used ratt, but will explore it following the links > > below. > > Skimming the github page this looks like something I can test/run in my > > local > > build environment (gbp, sbuild). How would salsa CI fit into this, not > > clear > > what job to start or study? > > > > https://manpages.debian.org/unstable/ratt/ratt.1.en.html > > > > https://github.com/Debian/ratt > > > > > > > > c) upstream code changes? "Looks like some potential for API > > difficulties," > > > > I had read through the code changes via git diff, but am not an expert > > golang > > coder and may be overextending myself. > > > > > > Trying to look over these code and potential API changes closer, they seem > > mostly compatible but I'm still unclear if they may cause issues with other > > packages. Hopefully ratt will help. > > > > - new BenchmarkVersionString() functions should not be an issue > > - new Scan() functions for sql.Scanner should not be an issue > > - new constraintRegexp() functions are added, and constraintOperators var > > removed; unclear if this is publicly exposed > > - new getVersionRegexp() appears to return a similar type as old var > > - new equalSegments() function does not look like an issue > > > > > > # upstream CHANGELOG.md lists: > > v1.8.0 > > - Add benchmark test for version.String() in > > https://github.com/hashicorp/go-version/pull/159 > > - Bytes implementation in https://github.com/hashicorp/go-version/pull/161 > > > > v1.7.0 > > - Remove `reflect` dependency > > ([#91](https://github.com/hashicorp/go-version/pull/91)) > > - Implement the `database/sql.Scanner` and `database/sql/driver.Value` > > interfaces for `Version` > > ([#133](https://github.com/hashicorp/go-version/pull/133)) > > > > v1.6.0 - current Debian package > > > > > > > > Regards, > > donfede > > > > > > On Fri, Jan 16, 2026 at 05:17:14PM +0100, Simon Josefsson wrote: > > > Upstream added a copyright notice: > > > > > > https://salsa.debian.org/go-team/packages/golang-github-hashicorp-go-version/-/commit/a9da87e466345495e4bc89d5f38f5861aecc30cc#0398ccd0f49298b10a3d76a47800d2ebecd49859_1_1 > > > > > > You need to add it to debian/copyright. > > > > > > Otherwise looks good to me, but a reverse rebuild is necessary here. > > > Did you try ratt? > > > > > > We have used Salsa CI for this a couple of times for migrations, it has > > > a 100 job limit. So please start a job like that. Did you review > > > upstream code changes? Looks like some potential for API difficulties, > > > but let's hope for the best... > > > > > > /Simon > > > > > > Federico Grau <[email protected]> writes: > > > > > > > Hello again debian-go team -- > > > > > > > > > > > > I've updated package golang-github-hashicorp-go-version on salsa.d.o > > > > from > > > > v1.6.0 to v1.8.0 . > > > > > > > > https://tracker.debian.org/pkg/golang-github-hashicorp-go-version > > > > > > > > > > > > This is a dependency of the `pat' package I've been collaborating on. > > > > > > > > https://lists.debian.org/debian-go/2025/12/msg00012.html > > > > > > > > https://tracker.debian.org/pkg/pat > > > > > > > > > > > > The upstream changes were relatively minor. > > > > > > > > I also made some minor debian updates (standards [no changes], copyright > > > > years, watch [format v3 to v5 using uscan generator]). My review and > > > > testing > > > > appear ok. > > > > > > > > However, checking the reverse dependencies there appear to be ~342 other > > > > packages using golang-github-hashicorp-go-version. I do not want to > > > > create > > > > issues. > > > > > > > > > > > > https://salsa.debian.org/salsa-ci-team/pipeline/#build-reverse-dependencies > > > > > > > > > > > > As there are cycles I welcome review and constructive feedback if > > > > corrections > > > > are needed. If all is well may the package be upload to unstable? > > > > > > > > > > > > Regards, > > > > donfede > > > > > > > > Fede Grau
signature.asc
Description: PGP signature
