X-Debbugs-Cc: [email protected] Hi Maytham,
Thanks a lot for having a look in the package. I am resuming the work of having syft and grype in Debian. Regarding vendored dependencies: I understand the concern and fully agree with the goal. However, I'd like to make the case that an interim vendored upload could be appropriate here, consistent with Debian Policy and existing archive precedent. - Debian Policy 4.13 states that packages "should not" use embedded copies and that dependencies "should be packaged separately as a prerequisite *if possible*" [1]. With 114 of 324 Go dependencies not yet in Debian (35%), full de-vendoring is not currently possible. - There is precedent in the archive: docker.io, containerd, and prometheus are all accepted into the Debian archive with vendored Go dependencies. Each documents the rationale in debian/README.source, as I have done. e.g.: https://salsa.debian.org/lts-team/packages/docker.io/-/blob/debian/buster/debian/README.source https://salsa.debian.org/go-team/packages/containerd/-/blob/debian/sid/debian/README.source https://salsa.debian.org/go-team/packages/prometheus/-/tree/debian/sid/debian/vendor - Progress since the initial RFS: Since my January RFS, 6 more dependencies have been resolved: golang-github-cyclonedx-cyclonedx-go golang-modernc-sqlite golang-modernc-libc golang-github-gkampitakis-go-snaps golang-go.uber-atomic golang-go.uber-multierr The package is now at 210/324 packaged. The packaging strategy and de-vendoring roadmap that I propose is documented in debian/README.source. My intention is maintaining this within the Go Packaging Team afterwards. I have updated the package to version 1.42.3+ds-1 on: https://salsa.debian.org/mendezr/syft https://mentors.debian.net/package/syft dget -x https://mentors.debian.net/debian/pool/main/s/syft/syft_1.42.3+ds-1.dsc Please, let me know your thoughts, Cc: Arturo, who has also shown interest in sponsoring Regards, Juan Manuel Méndez Rey
