Simon Josefsson <[email protected]> writes: >>>> golang-github-cespare-xxhash >>> >>> I think this is a false positive >> >> Another false positive from your list: golang-github-github-smimesign. > > I found another different kind of false positive: golang-golang-x-vuln
Two more "strange" packages, where upstream doesn't ship any go.mod at all. There are two problems here: 1) the source files are duplicated, once in v2/ and then again in v2/v2, this doesn't match upstream source code, and 2) the go.mod is generated into v2/v2 but not in v2/. 1) golang-github-jcmturner-dnsutils.v2-dev Compare https://packages.debian.org/trixie/all/golang-github-jcmturner-dnsutils.v2-dev/filelist https://packages.debian.org/sid/all/golang-github-jcmturner-dnsutils.v2-dev/filelist 2) golang-github-jcmturner-aescts.v2 Compare https://packages.debian.org/trixie/all/golang-github-jcmturner-aescts.v2-dev/filelist with https://packages.debian.org/sid/all/golang-github-jcmturner-aescts.v2-dev/filelist /Simon
signature.asc
Description: PGP signature
