Hi Nathan and Seb, one detail we missed here (thanks Michael for the catch) is that this is one of the first golang in main in which we could go for not being forced to vendor all the dependencies. But just as with vendored dependencies you'd be expected to look after them in the package, here
The machinery does not block the proposed migration as much as with runtime dependencies and so it slipped through. I do not want to unroll to many things so late, but you'd need to process MIRs for all the things this pulls in via Built-Using as they are part of the active running code just as they would be with a lib being a runtime dependency or vendored code built into it. Have a look at the many "Source only movements to main (unsubscribed)" at [1] of which a lot seem to be due to the built-using of this package. I'll mark this incomplete for one of the affected PKG, to show up on everyones radar again, as a start please subscribe to all these packages. The handling of the related MIRs most likely is pretty much the same for all, some paperwork to please the process - but not different to what happens when security goes down into the vendored deps if a package has them. [1]: https://ubuntu-archive-team.ubuntu.com/component-mismatches.html ** Also affects: go-md2man-v2 (Ubuntu) Importance: Undecided Status: New ** Changed in: go-md2man-v2 (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2134530 Title: MIR for Restic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/go-md2man-v2/+bug/2134530/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
