Hi Nilesh,
Am Thu, Jan 27, 2022 at 06:23:08PM +0530 schrieb Nilesh Patra:
> > is not the case for the latest
> > version of golang-github-vbauerster-mpb-dev:> [...]
> > -o ./singularity
> > /build/singularity-container-3.9.4+ds1/_build/src/github.com/sylabs/singularity/cmd/singularity
> > ../internal/app/singularity/push.go:23:2: cannot find package
> > "github.com/vbauerster/mpb/v4" in any of:
>
> That's because if you look in singularity's go.mod, it depends on both
> versions of this package (v4 and v6)
> see here[1]
> Ideally, it should have different versioned 'XS-Go-Import-Path' for all
> versions. For instance as done in
> blackfriday package see here[4][5]
>
> So as far as I can tell, you could do the following:
>
> a) Package different versions of both with correct import paths, upload to
> new and then
> add B-D on these.
I admit this sounds technically clean but I would like to fix the CVEs
in singularity-container rather sooner than later and passing NEW queue
is not promising regarding a quick fix.
> b) (Not highly) recommended) Vendor[6] the old version of
> golang-github-vbauerster-mpb in the vendor directory and use
> that to build. This is messy but would solve the issue. There's already a
> vendor dir in that package which already
> gets a bunch of stuff, so this might not be much worse.
Amongst your suggestions this sounds like the most probable *I* feel
able to implement. I would love if someone might beat me with a
better solution.
> c) Port code to the version 7 of this package (which you uploaded)
I've never written a line of code in Go - so this is not for me.
I'd also think this should rather be done upstream.
> d) Revert your upload to version 6 (where it was earlier) and port the code
> written with version 4 to 6
This will not be sufficient since also version 7 is needed (according
to the docs as well as according to the error message if you build
against version 6.
> > Since I'm not a Go programmer I wonder whether somebody could give
> > some helpful hint how to fix this.
>
> Me neither, but hopefully that helped a bit?
It gave me some interesting ideas and might hopefully inspire others
to step in in case option b) sound to ugly.
> > PS: I'm not subscribed to debian-go list. Please keep the bug report
> > in CC.
>
> Hope I did enough to reach out to you :-))
You did! ;-)
Kind regards
Andreas.
> > [1] https://salsa.debian.org/hpc-team/singularity-container
> > [2] https://salsa.debian.org/hpc-team/singularity-container/-/jobs/2403226
> [3]:
> https://salsa.debian.org/hpc-team/singularity-container/-/blob/master/go.mod#L48-49
> [4]:
> https://salsa.debian.org/go-team/packages/golang-blackfriday/-/blob/debian/sid/debian/control#L18
> [5]:
> https://salsa.debian.org/go-team/packages/golang-blackfriday-v2/-/blob/debian/sid/debian/control#L17
> [6]: https://blog.gopheracademy.com/advent-2015/vendor-folder/
>
>
--
http://fam-tille.de
