Hi Faidon, (cc'ing debian-go list since this affects several Go packages) Faidon Liambotis <parav...@debian.org> writes:
> Hi Simon, > > On Fri, Feb 21, 2025 at 11:27:00PM +0000, Santiago Vila wrote: >> During a rebuild of all packages in unstable, your package failed to build: >> >> <snip> >> >> verify_test.go:563: Verify failed with error: pkcs7: failed to >> verify certificate chain: x509: certificate signed by unknown >> authority (possibly because of "x509: cannot verify signature: >> insecure algorithm SHA1-RSA" while trying to verify candidate >> authority certificate "PKCS7 Test Intermediate Cert") >> --- FAIL: TestSignWithOpenSSLAndVerify (0.01s) > > I started looking into this issue because it's threatening autoremoval > of podman, by virtue of being in its reverse-dependency chain. I don't > know anything else about this package, nor have I made any uploads for > it. > > While looking into, I noticed that it's abandonware upstream, started > looking around and finally ended up finding your comment at > https://github.com/smallstep/pkcs7/issues/45 :) > > From there I gather that: > a) you are already aware of this issue; > b) you've already worked around it for smallstep/pkcs7; > c) you're considering replacing fullsailor/pkcs7 with smallstep/pkcs7. > > Gven all that It feels like perhaps you've intentionally haven't fixed > this fullsailor/pkcs7 bug, so I wanted to check with you before working > on it. I'd love to hear your thoughts on how to proceed! I have uploaded golang-github-smallstep-pkcs7 to NEW: https://ftp-master.debian.org/new.html I am hoping that 1) the package will be approved by ftp-master's soon, and 2) that we can patch all build dependencies of golang-github-fullsailor-pkcs7 and golang-github-digitorus-pkcs7 to use golang-github-smallstep-pkcs7 instead 3) Lobby for upstreams to use golang-github-smallstep-pkcs7 instead. 4) Don't ship golang-github-fullsailor-pkcs7 and golang-github-digitorus-pkcs7 with trixie at all. I have not started working on 2) and would appreciate help on it. If there is a show stopper here and there is some package that cannot be built against golang-github-smallstep-pkcs7 instead, then my plan won't work out. Given the response in https://github.com/smallstep/pkcs7/issues/45 I have hopes this will work though, and that they are co-operative to fix things to make it easier to accomplish. If you want to fix golang-github-fullsailor-pkcs7 and golang-github-digitorus-pkcs7 in Debian now, to avoid auto-removal threats, I think doing so in parallel is fine. I didn't do it due to lack of time, and prefering to focus on the long-term better approach instead. /Simon
signature.asc
Description: PGP signature
