Package: golang-github-jesseduffield-go-git Severity: serious Hi
I did an upstream upload of go-git to fix some security vulnerabilities for trixie: https://tracker.debian.org/pkg/golang-github-go-git-go-git However I today realized that we have a old fork of that project that still have the security vulnerability: https://tracker.debian.org/pkg/golang-github-jesseduffield-go-git According to upstream github, this package is 6 commits ahead but 701 commits behind https://github.com/go-git/go-git -- the added commits are here: https://github.com/go-git/go-git/compare/master...jesseduffield:go-git:master This looks like an abandonened fork to me, one with known security vulnerabilities coming from its upstream. Am I reading this right? Fortunatately this project doesn't seem to have any reverse dependencies in Debian (see dak output below). I don't think this package should be shipped in trixie, so I'm opening this bug report to trigger this. Does anyone disagree? /Simon $ ssh mirror.ftp-master.debian.org "dak rm -Rn golang-github-jesseduffield-go-git" Will remove the following packages from unstable: golang-github-jesseduffield-go-git | 5.1.2+git20221018.fdd53fe-1.1 | source golang-github-jesseduffield-go-git-dev | 5.1.2+git20221018.fdd53fe-1.1 | all Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org> ------------------- Reason ------------------- ---------------------------------------------- Checking reverse dependencies... No dependency problem found. $
signature.asc
Description: PGP signature
