I looked into making a proper debdiff now, and found a problem. Upgrading golang-github-tillitis-tkeyclient from 1.1.0-2 (trixie) to new upstream 1.3.1 depends on a newer version of golang-github-ccoveille-go-safecast. Trixie has version 1.6.0-1, but at least the upstream v2.0.0 is required (already in testing).
We COULD back-port golang-github-ccoveille-go-safecast too, but when looking into that I realized that upgrading golang-github-ccoveille-go-safecast from 1.6.x to 2.0.x breaks reverse builds of not only golang-github-tillitis-tkeyclient (which is expected and part of the plan) but another unrelated package in trixie: golang-github-smallstep-certificates-dev. I stopped looking there, we could back-port golang-github-smallstep-certificates-dev too. It only has one reverse build dependency in trixie: caddy. I didn't check if caddy in trixie builds with a more recent golang-github-smallstep-certificates-dev; if not, back-porting a fix to caddy is required too. I think this is getting messy. I'm not convinced this is a reasonable plan for stable-updates any more. I'll ask upstream if they could provide a proper back-port of the security fixes to the golang-github-tillitis-tkeyclient v1.1.0 release (and the related tkey-ssh-agent v1.0.0 release) without the unrelated golang-github-ccoveille-go-safecast version bump. /Simon Jonathan Wiltshire <[email protected]> writes: > Control: tag -1 confirmed > > Hi, > > Please go ahead with the necessary debian/changelog entry added. > > Thanks,
signature.asc
Description: PGP signature

