Bug#1060839: ITP: golang-github-adamkorcz-go-fuzz-headers-1 -- helper functions for Go fuzzing (library)

[Simon Josefsson]

Shengjing Zhu <z...@debian.org> writes:

>> go.sum:github.com/AdamKorcz/go-fuzz-headers-1
>> v0.0.0-20230618160516-e936619f9f18
>> h1:rd389Q26LMy03gG4anandGFC2LW/xvjga5GezeeaxQk=
>> go.sum:github.com/AdamKorcz/go-fuzz-headers-1
>> v0.0.0-20230618160516-e936619f9f18/go.mod
>> h1:fgJuSBrJP5qZtKqaMJE0hmhS2tmRH+44IkfZvjtaf1M=
>> hack/tools/go.sum:github.com/AdamKorcz/go-fuzz-headers-1
>> v0.0.0-20230329111138-12e09aba5ebd
>> h1:1tbEqR4NyQLgiod7vLXSswHteGetAVZrMGCqrJxLKRs=
>> hack/tools/go.sum:github.com/AdamKorcz/go-fuzz-headers-1
>> v0.0.0-20230329111138-12e09aba5ebd/go.mod
>> h1:0vOOKsOMKPThRu9lQMAxcQ8D60f8U+wHXl07SyUw0+U=
>> hack/tools/tools.go:    _ "github.com/AdamKorcz/go-fuzz-headers-1"
>> hack/tools/go.mod:      github.com/AdamKorcz/go-fuzz-headers-1 
>> v0.0.0-20230329111138-12e09aba5ebd
>> pkg/types/hashedrekord/v0.0.1/fuzz_test.go:     fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/rpm/v0.0.1/fuzz_test.go:      fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/alpine/v0.0.1/fuzz_test.go:   fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/alpine/fuzz_test.go:  fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/cose/v0.0.1/fuzz_test.go:     fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/jar/v0.0.1/fuzz_test.go:      fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/rekord/v0.0.1/fuzz_test.go:   fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/intoto/v0.0.1/fuzz_test.go:   fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/intoto/v0.0.2/fuzz_test.go:   fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/tuf/v0.0.1/fuzz_test.go:      fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/helm/v0.0.1/fuzz_test.go:     fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/dsse/v0.0.1/fuzz_test.go:     fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/types/rfc3161/v0.0.1/fuzz_test.go:  fuzz 
>> "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/fuzz/alpine_utils.go:       fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/fuzz/fuzz_utils.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
>> pkg/fuzz/jar_utils.go:  fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
>> go.mod: github.com/AdamKorcz/go-fuzz-headers-1 
>> v0.0.0-20230618160516-e936619f9f18
>>
>> Would we have to patch all of these files?  Or disable building them
>> somehow?
>>
>
> Just remove these files, either via Files-Excluded in
> debian/copyright, or rm in builddir in debian/rules.

Hi.  Ftp-master quickly approved this package, so we have it in Debian
now.  Since I'm not that familiar with Go, maintaining a patch for rekor
to patch out these references to the fuzz library is harder for me than
to maintain golang-github-adamkorcz-go-fuzz-headers-1.  My preference is
to not deviate from upstream here, since adding Debian-specific patches
usually leads to problems down the road in my experience.  If you
strongly prefer to keep this package out of a Debian release, and can
help maintain the patches necessary for rekor, please push a patch to
the rekor git repository to get rid of this dependency, and open a RC
critical bug for golang-github-adamkorcz-go-fuzz-headers-1 package to
keep it ouf of testing.

/Simon

>
>> Let's see if we can develop a workaround before ftp-master approves the
>> packages...  otherwise maybe it doesn't hurt to use it anyway, and may
>> save us time maintaining patches.
>>
>> /Simon

signature.asc
Description: PGP signature