Hello --

Kind thanks for the OOB feedback.  I have updated debian/copyright of
golang-github-hashicorp-go-version to match their upstream changes circa
2025-11.

Checking per next steps to upload v1.8.0 of golang-github-hashicorp-go-version
to unstable.

Regards,
donfede

Fede Grau


On Tue, Jan 27, 2026 at 07:57:43PM -0500, Federico Grau wrote:
> 
> Greetings again debian-go team --
> 
> 
> I've completed "ratt" (0.0~git20250829.39528ce-1+b1) runs for
> golang-github-hashicorp-go-version in my local build environment.  
> 
> It reports 19/20 reverse dependencies build OK, and errors with
> "go-cve-dictionary".  I have not pursued the go-cve-dictionary errors (and am
> not sure I'm the right person for that; at least for a couple months, while I
> finish "pat" updates).
> 
> What might be the next best steps to progress
> golang-github-hashicorp-go-version v1.8.0 to unstable (or alt path)?  Should a
> bug report be filed for go-cve-dictionary or some email notice sent?  Both
> packages are maintained by the Debian Go Packaging Team.
> 
>     https://tracker.debian.org/pkg/go-cve-dictionary
> 
>     https://tracker.debian.org/pkg/golang-github-hashicorp-go-version
> 
>     https://manpages.debian.org/unstable/ratt/ratt.1.en.html
> 
> 
> While I don't understand salsa.d.o gitlab CI very well, I had attempted to run
> a reverse dependency check on golang-github-hashicorp-go-version, which seemed
> to report a much higher number of reverse dependencies -- ~342 vs 20 by
> ratt?!?  It's possible I erred submitting the job or misinterpreted the
> output.
> 
>     
> https://salsa.debian.org/go-team/packages/golang-github-hashicorp-go-version/-/jobs/8894428
> 
>     
> https://salsa.debian.org/salsa-ci-team/pipeline/#build-reverse-dependencies
> 
> 
> I welcome constructive feedback or suggested guidance on next steps, and also
> recognize other tasks may have priority near term.
> 
> 
> Best,
> donfede
> 
> Fede Grau
> 
> 
> On Wed, Jan 21, 2026 at 08:41:46PM -0500, Federico Grau wrote:
> > 
> > Many thanks again for the constructive feedback Simon,
> > 
> > 
> > (pardon my delayed response, I've been balancing other tasks)
> > 
> > 
> > While I appreciate the feedback, this go-version effort is presenting some 
> > new
> > scenarios to me, and I have some question responses before making more
> > changes.
> > 
> > 
> > a) debian/copyright
> > 
> > While I was reviewing the go-version git diffs, I had observed "IBM" added 
> > as
> > a copyright owner to upstream files ... but admit not understanding how to
> > best proceed, and erroneously extended the debian/copyright years for the
> > original author.
> > 
> > Looking over the upstream git repo closer today, it seems circa 2025-Nov-03
> > that IBM copyright replaced previous Hashicorp copyrights for 2025 and also
> > backdated to 2014.  The license remains the same (MPL-2.0).
> > 
> >     
> > https://github.com/hashicorp/go-version/commit/9325934670def5fb8afc1eb866fbbeba243f02ce
> > 
> >     
> > https://github.com/hashicorp/go-version/commit/0824a8987d8bc2b76c928ccea7d8a4a4f0b6c9e0
> > 
> > *** Should debian/copyright likewise be edited, removing past references to
> > "Mitchell Hashimoto <[email protected]>" and replacing them with
> > "IBM Corp." or something else? ***
> > 
> > 
> > 
> > b) ratt - reverse build tests
> > 
> > I had not previously used ratt, but will explore it following the links 
> > below.
> > Skimming the github page this looks like something I can test/run in my 
> > local
> > build environment (gbp, sbuild).  How would salsa CI fit into this, not 
> > clear
> > what job to start or study?
> > 
> >     https://manpages.debian.org/unstable/ratt/ratt.1.en.html
> > 
> >     https://github.com/Debian/ratt
> > 
> > 
> > 
> > c) upstream code changes?   "Looks like some potential for API 
> > difficulties,"
> > 
> > I had read through the code changes via git diff, but am not an expert 
> > golang
> > coder and may be overextending myself.
> > 
> > 
> > Trying to look over these code and potential API changes closer, they seem
> > mostly compatible but I'm still unclear if they may cause issues with other
> > packages.  Hopefully ratt will help.
> > 
> >  - new BenchmarkVersionString() functions should not be an issue
> >  - new Scan() functions for sql.Scanner should not be an issue
> >  - new constraintRegexp() functions are added, and constraintOperators var
> >    removed; unclear if this is publicly exposed
> >  - new getVersionRegexp() appears to return a similar type as old var
> >  - new equalSegments() function does not look like an issue
> > 
> > 
> >  # upstream CHANGELOG.md lists:
> >  v1.8.0
> >  - Add benchmark test for version.String() in 
> > https://github.com/hashicorp/go-version/pull/159
> >  - Bytes implementation in https://github.com/hashicorp/go-version/pull/161
> > 
> >  v1.7.0 
> >  - Remove `reflect` dependency 
> > ([#91](https://github.com/hashicorp/go-version/pull/91))
> >  - Implement the `database/sql.Scanner` and `database/sql/driver.Value` 
> > interfaces for `Version` 
> > ([#133](https://github.com/hashicorp/go-version/pull/133))
> > 
> >  v1.6.0 - current Debian package
> > 
> > 
> > 
> > Regards,
> > donfede
> > 
> > 
> > On Fri, Jan 16, 2026 at 05:17:14PM +0100, Simon Josefsson wrote:
> > > Upstream added a copyright notice:
> > > 
> > > https://salsa.debian.org/go-team/packages/golang-github-hashicorp-go-version/-/commit/a9da87e466345495e4bc89d5f38f5861aecc30cc#0398ccd0f49298b10a3d76a47800d2ebecd49859_1_1
> > > 
> > > You need to add it to debian/copyright.
> > > 
> > > Otherwise looks good to me, but a reverse rebuild is necessary here.
> > > Did you try ratt?
> > > 
> > > We have used Salsa CI for this a couple of times for migrations, it has
> > > a 100 job limit.  So please start a job like that.  Did you review
> > > upstream code changes?   Looks like some potential for API difficulties,
> > > but let's hope for the best...
> > > 
> > > /Simon
> > > 
> > > Federico Grau <[email protected]> writes:
> > > 
> > > > Hello again debian-go team --
> > > >
> > > >
> > > > I've updated package golang-github-hashicorp-go-version on salsa.d.o 
> > > > from
> > > > v1.6.0 to v1.8.0 .
> > > >
> > > >     https://tracker.debian.org/pkg/golang-github-hashicorp-go-version
> > > >
> > > >
> > > > This is a dependency of the `pat' package I've been collaborating on.  
> > > >
> > > >     https://lists.debian.org/debian-go/2025/12/msg00012.html
> > > >
> > > >     https://tracker.debian.org/pkg/pat
> > > >
> > > >
> > > > The upstream changes were relatively minor.  
> > > >
> > > > I also made some minor debian updates (standards [no changes], copyright
> > > > years, watch [format v3 to v5 using uscan generator]).  My review and 
> > > > testing
> > > > appear ok.
> > > >
> > > > However, checking the reverse dependencies there appear to be ~342 other
> > > > packages using golang-github-hashicorp-go-version.  I do not want to 
> > > > create
> > > > issues.
> > > >
> > > >     
> > > > https://salsa.debian.org/salsa-ci-team/pipeline/#build-reverse-dependencies
> > > >
> > > >
> > > > As there are cycles I welcome review and constructive feedback if 
> > > > corrections
> > > > are needed.  If all is well may the package be upload to unstable?
> > > >
> > > >
> > > > Regards,
> > > > donfede
> > > >
> > > > Fede Grau

Attachment: signature.asc
Description: PGP signature

Reply via email to