Hi Sascha, On Sun, Aug 24, 2025 at 09:48:30AM +0200, Sascha Steinbiss wrote: > Hi Salvatore, > > > CC to Sascha and the Debian Go Packaging team, and tagging the issue > > moreinfo for having input from SAscha and the Debian Go packaging > > team. > > > > golang-gopkg-pg.v5 has not seen updates since 2021 (with a no-change > > NMU) from Holger, and only uploads back in 2018. > > I see. > > > As the package hat (at least one security) issue open, should > > golang-gopkg-pg.v5 (and so as well srcfever) be removed from unstable > > (and forky)? > > Since I'd be sad to see fever go, I would be happy to package a more recent > version of go-pg (e.g. 10.15.0 which should not be affected by the CVE open > as a bug on the current package [1]) and ensure that fever can build with > that, also updating the dependency there. We should then be fine to remove > v5 from unstable and forky once the new version of go-pg has passed NEW. > > Would that be OK with you?
yes that soulds like a good plan, so let's defer the removal of golang-gopkg-pg.v5 for when we have a newer version packaged and ensured fever can work with it, move to it, and then get golang-gopkg-pg.v5 removed. Thank you for the quick response! So I think we can leave this bug open, with the moreinfo attaached and remove the moreinfo once fever can move to the new dependency. Regards, Salvatore
