Dear Simon, On Mon, 17 Feb 2025 09:22:50 +0100 Simon Josefsson <si...@josefsson.org> wrote: > I did an upstream upload of go-git to fix some security vulnerabilities > for trixie: > > https://tracker.debian.org/pkg/golang-github-go-git-go-git > > However I today realized that we have a old fork of that project that > still have the security vulnerability: > > https://tracker.debian.org/pkg/golang-github-jesseduffield-go-git
Thanks! I have forwarded the CVEs to the upstream[1]. [1] https://github.com/jesseduffield/lazygit/issues/4354 > Fortunatately this project doesn't seem to have any reverse dependencies > in Debian (see dak output below). I don't think this package should be > shipped in trixie, so I'm opening this bug report to trigger this. Does > anyone disagree? This package (golang-github-jesseduffield-go-git) was required for lazygit, but I have prepared a patch to use golang-github-go-git-go-git instead[2]. [2] https://salsa.debian.org/jmkim/lazygit-unvendored/-/blob/debian/sid/debian/patches/migrate-go-git.patch Since this package is no longer necessary, I will request its removal. Please note that lazygit has not yet been uploaded. I am currently preparing it for Trixie. Many thanks! -- Jongmin Kim D3D7 A235 22B6 41FB 78AC C775 0000 01EF CF1A 50FA
signature.asc
Description: PGP signature
