I looked into making a proper debdiff now, and found a problem.

Upgrading golang-github-tillitis-tkeyclient from 1.1.0-2 (trixie) to new
upstream 1.3.1 depends on a newer version of
golang-github-ccoveille-go-safecast.  Trixie has version 1.6.0-1, but at
least the upstream v2.0.0 is required (already in testing).

We COULD back-port golang-github-ccoveille-go-safecast too, but when
looking into that I realized that upgrading
golang-github-ccoveille-go-safecast from 1.6.x to 2.0.x breaks reverse
builds of not only golang-github-tillitis-tkeyclient (which is expected
and part of the plan) but another unrelated package in trixie:
golang-github-smallstep-certificates-dev.

I stopped looking there, we could back-port
golang-github-smallstep-certificates-dev too.  It only has one reverse
build dependency in trixie: caddy.  I didn't check if caddy in trixie
builds with a more recent golang-github-smallstep-certificates-dev; if
not, back-porting a fix to caddy is required too.

I think this is getting messy.  I'm not convinced this is a reasonable
plan for stable-updates any more.

I'll ask upstream if they could provide a proper back-port of the
security fixes to the golang-github-tillitis-tkeyclient v1.1.0 release
(and the related tkey-ssh-agent v1.0.0 release) without the unrelated
golang-github-ccoveille-go-safecast version bump.

/Simon

Jonathan Wiltshire <[email protected]> writes:

> Control: tag -1 confirmed
>
> Hi,
>
> Please go ahead with the necessary debian/changelog entry added.
>
> Thanks,

Attachment: signature.asc
Description: PGP signature

Reply via email to