Simon Josefsson <[email protected]> writes:

>>>> golang-github-cespare-xxhash
>>>
>>> I think this is a false positive
>>
>> Another false positive from your list: golang-github-github-smimesign.
>
> I found another different kind of false positive: golang-golang-x-vuln

Two more "strange" packages, where upstream doesn't ship any go.mod at
all.  There are two problems here: 1) the source files are duplicated,
once in v2/ and then again in v2/v2, this doesn't match upstream source
code, and 2) the go.mod is generated into v2/v2 but not in v2/.

1) golang-github-jcmturner-dnsutils.v2-dev

Compare

https://packages.debian.org/trixie/all/golang-github-jcmturner-dnsutils.v2-dev/filelist

https://packages.debian.org/sid/all/golang-github-jcmturner-dnsutils.v2-dev/filelist

2) golang-github-jcmturner-aescts.v2

Compare

https://packages.debian.org/trixie/all/golang-github-jcmturner-aescts.v2-dev/filelist

with

https://packages.debian.org/sid/all/golang-github-jcmturner-aescts.v2-dev/filelist

/Simon

Attachment: signature.asc
Description: PGP signature

Reply via email to