[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2017-01-27 Thread Steve Langasek 
The yakkety-proposed upload has been removed; per the discussion in the
bug I'm setting this back to v-needed for xenial.

** Tags removed: verification-failed
** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-11-22 Thread Mathieu Trudel-Lapierre 
golang-go.crypto is in xenial-proposed and the build certainly should
have used it (and reports so, if only Built-Using can be trusted). If
that's not the case, it's definitely a bug that needs to be fixed.

However, we need to consider this separately from yakkety. golang-
go.crypto in yakkety should be removed, as it currently breaks other
things in the archive (with this package, other golang packages will be
uninstallable) and blocks other SRUs from being verified.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-11-21 Thread Adam Conrad 
"Also, I requested that golang-go.crypto be de-vendorized in juju-core
in zesty and continue to not be vendorized in xenial since it is an LTS
and we'll be supporting it for quite some time."

Not convinced this is what's happened.  Looking at a xenial build log,
it certainly *builds* a local copy of crypto.  And if, as this bug
states, the crypto in yakkety was too old for juju, I don't see how the
crypto in xenial would be magically okay, given that the juju versions
are the same in both.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-11-21 Thread Mathieu Trudel-Lapierre 
It was in an IRC conversation between me and Steve Langasek, after
getting the Security team's approval (via tyhicks, also on IRC) that re-
vendorizing golang-go.crypto was okay in yakkety, given that it's not a
LTS release, and that there is at least another package (definitely
snapd, and probably also lxd) that vendorizes everything.

My immediate concern isn't in the effort of rebuilding every reverse-
dependency of golang-go.crypto, but of the high potential for regression
involved in getting this new crypto and rebuilding everything against
it, in the context of juju-core which is a project that is expected to
change a lot. There WILL be other SRUs of juju-core in the future, and I
don't know if other updates of golang packages may be required.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-11-21 Thread Mathieu Trudel-Lapierre 
Michael, you're right, in xenial we do build with golang-go.crypto,
which hasn't been migrated yet, but doesn't have the same golang rebuild
issues as in yakkety.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-11-21 Thread Tyler Hicks 
Adam, the decision was made between Mathieu, Steve Langasek, and myself.

My understanding was that juju-core was let into yakkety, shortly before
the release, with a vendorized golang-go.crypto. That went against the
MIR requirements and should not have happened. This SRU attempted to
undo the vendorization but would have introduced quite a bit of
regression risk in yakkety due to the need to bump the snapshot in the
yakkety archive.

I was ok with allowing juju-core to continue to vendorize golang-
go.crypto only in yakkety since yakkety is an intermediate release and
this mistake was present in yakkety-release. Also, I requested that
golang-go.crypto be de-vendorized in juju-core in zesty and continue to
not be vendorized in xenial since it is an LTS and we'll be supporting
it for quite some time.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-11-21 Thread Michael Hudson-Doyle 
On 22 November 2016 at 08:40, Mathieu Trudel-Lapierre 
wrote:

> The same story applies to xenial.


Are you sure? No Go shared libraries in Xenial.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-11-21 Thread Adam Conrad 
"It was decided" by whom?  If rebuilding "the world" due to a golang
build-dep is a problem, then we have a massively poor security story
here, and that needs sorting, not hand-waving past as "meh, too hard,
guess we never change golang-crypto."

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-11-21 Thread Mathieu Trudel-Lapierre 
verification-failed: there are various issues with de-vendorizing crypto
in yakkety, including the need to rebuild half of the golang world; it
was decided to land juju-core without the de-vendorizing in yakkety.

** Tags removed: verification-needed
** Tags added: verification-failed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-11-21 Thread Mathieu Trudel-Lapierre 
The same story applies to xenial.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-10-27 Thread Brian Murray 
Hello Mathieu, or anyone else affected,

Accepted golang-go.crypto into xenial-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/golang-
go.crypto/1:0.0~git20161012.0.5f31782-1ubuntu0.16.04.1 in a few hours,
and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: golang-go.crypto (Ubuntu Xenial)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-10-24 Thread Steve Langasek 
Hello Mathieu, or anyone else affected,

Accepted golang-go.crypto into yakkety-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/golang-
go.crypto/1:0.0~git20161012.0.5f31782-1ubuntu0.16.10.1 in a few hours,
and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: golang-go.crypto (Ubuntu Yakkety)
   Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-10-24 Thread Mathieu Trudel-Lapierre 
** Description changed:

  [Impact]
  Go software using crypto modules. Juju-core was accepted in the archive with 
a vendorized version of golang-go.crypto at the last minute, but it should be 
removed and the archive version used instead.
  
  [Test case]
  - building Juju -
  build juju-core, make sure it uses golang-golang-x-crypto-dev.
  
  - rebuild tests for reverse dependencies -
  rebuild r-deps for golang-go.crypto.
  
  [Regression Potential]
- 
+ New failure modes in building reverse-dependencies of crypto, or to build/run 
juju would constitute a regression of this update.
  
  
  
  juju-core currently ships a copy of golang-go.crypto with itself. It
  shouldn't, and should instead use the copy of golang-go.crypto from the
  archive by Build-Depending on golang-golang-x-crypto.
  
  This requires a newer snapshot of golang-go.crypto as juju-core or
  golang-go.net require the acme package from crypto, which is not
  properly exported in golang-go.crypto 1:0.0~git20160824.0.351dc6a-
  1ubuntu1.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-10-20 Thread Mathieu Trudel-Lapierre 
There's now https://launchpad.net/ubuntu/+source/golang-
go.crypto/1:0.0~git20161012.0.5f31782-1ubuntu1 in zesty.

** Changed in: golang-go.crypto (Ubuntu Zesty)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634609] Re: de-vendorize golang-go.crypto from juju-core

2016-10-19 Thread Mathieu Trudel-Lapierre 
** Also affects: juju-core (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: golang-go.crypto (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: juju-core (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: golang-go.crypto (Ubuntu Zesty)
   Importance: High
 Assignee: Mathieu Trudel-Lapierre (cyphermox)
   Status: In Progress

** Also affects: juju-core (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: golang-go.crypto (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Changed in: golang-go.crypto (Ubuntu Yakkety)
   Status: New => In Progress

** Changed in: golang-go.crypto (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: golang-go.crypto (Ubuntu Yakkety)
   Importance: Undecided => High

** Changed in: golang-go.crypto (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: golang-go.crypto (Ubuntu Yakkety)
 Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

** Changed in: golang-go.crypto (Ubuntu Xenial)
 Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

** Description changed:

+ [Impact]
+ Go software using crypto modules. Juju-core was accepted in the archive with 
a vendorized version of golang-go.crypto at the last minute, but it should be 
removed and the archive version used instead.
+ 
+ [Test case]
+ - building Juju -
+ build juju-core, make sure it uses golang-golang-x-crypto-dev.
+ 
+ - rebuild tests for reverse dependencies -
+ rebuild r-deps for golang-go.crypto.
+ 
+ [Regression Potential]
+ 
+ 
+ 
+ 
  juju-core currently ships a copy of golang-go.crypto with itself. It
  shouldn't, and should instead use the copy of golang-go.crypto from the
  archive by Build-Depending on golang-golang-x-crypto.
  
  This requires a newer snapshot of golang-go.crypto as juju-core or
  golang-go.net require the acme package from crypto, which is not
  properly exported in golang-go.crypto 1:0.0~git20160824.0.351dc6a-
  1ubuntu1.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634609

Title:
  de-vendorize golang-go.crypto from juju-core

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-go.crypto/+bug/1634609/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs