Your message dated Tue, 04 Jun 2024 18:00:12 +0000
with message-id <e1seysc-004wdl...@fasolo.debian.org>
and subject line Bug#1072393: fixed in golang-github-go-jose-go-jose.v3 3.0.3-3
has caused the Debian Bug report #1072393,
regarding ITP: golang-github-go-jose-go-jose.v3 -- Implementation of JOSE
standards (JWE, JWS, JWT) in Go (library) v3 branch
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072393: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072393
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: wnpp
Owner: Reinhard Tartler <siret...@tauware.de>
Severity: wishlist
* Package name : golang-github-go-jose-go-jose.v3
Version : 3.0.3
Upstream Author : https://github.com/go-jose/go-jose
* URL or Web page : https://github.com/go-jose/go-jose
* License : Apache 2.0
Description : Implementation of JOSE standards (JWE, JWS, JWT) in Go
(library) v3 branch
I intend to re-upload go-jose v3 to sid
While upstream really prefers projects to move to the v4 branch, that
branch requires significant changes to applications. In Debian, we still
have a number of packages depending on the v2 branch, which is out of
maintenance. Moving them over to v3 is more expedient than waiting for
upstreams to port over to v4.
The two main changes from v3 to v4 are:
- requires golang 1.21
- accepted 'alg' and 'enc' values in incoming JWT/JWEs need to be specified.
In v3,
go-jose would accept all implemented algorithms, which can cause issues.
Going forward,
software needs to be explicit what they accept.
I came across this when looking at a CVE in buildah, noticing that
ocicrypt is currently using the v2 branch in debian (!), whereas
upstream is using the v4 branch. We currently have upgraded the package
to v4 earlier this year, and to get ocicrypt to build against that, this
might be required: https://github.com/containers/ocicrypt/pull/109
To avoid this for other packages, let's re-introduce .v3 for now and
part packages currently using .v2 over to .v4, and where difficult, at
least .v2 as interim step.
--- End Message ---
--- Begin Message ---
Source: golang-github-go-jose-go-jose.v3
Source-Version: 3.0.3-3
Done: Reinhard Tartler <siret...@tauware.de>
We believe that the bug you reported is fixed in the latest version of
golang-github-go-jose-go-jose.v3, which is due to be installed in the Debian
FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1072...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siret...@tauware.de> (supplier of updated
golang-github-go-jose-go-jose.v3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 01 Jun 2024 12:19:41 -0400
Binary: golang-github-go-jose-go-jose.v3-dev
Source: golang-github-go-jose-go-jose.v3
Architecture: all source
Version: 3.0.3-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Reinhard Tartler <siret...@tauware.de>
Closes: 1072393
Description:
golang-github-go-jose-go-jose.v3-dev - Implementation of JOSE standards (JWE,
JWS, JWT) in Go (library)
Changes:
golang-github-go-jose-go-jose.v3 (3.0.3-3) unstable; urgency=medium
.
* Re-Upload to debian again as v3, Closes: #1072393
* While upstream really prefers projects to move to the v4 branch, that
branch requires significant changes to applications. In Debian, we still
have a number of packages depending on the v2 branch, which is out of
maintenance. Moving them over to v3 is more expedient than waiting
for upstreams to port over to v4.
* Drop patches, fixed upstream
Checksums-Sha1:
1a98ac545d7377bd6f528b2f552b5fffe3ef7cc5 2592
golang-github-go-jose-go-jose.v3_3.0.3-3.dsc
4e1d890a307a4ff474f21eb3ecdea56b7d09e2c4 320882
golang-github-go-jose-go-jose.v3_3.0.3.orig.tar.gz
429fd380e7af4a0c01bff1671160b8cbff8bf503 5280
golang-github-go-jose-go-jose.v3_3.0.3-3.debian.tar.xz
0a2d19651a4742f9a6300dc4d2989c146c8a881a 271744
golang-github-go-jose-go-jose.v3-dev_3.0.3-3_all.deb
2a7aa17e4da1a93a6912e2badb24a90836db1a74 6934
golang-github-go-jose-go-jose.v3_3.0.3-3_amd64.buildinfo
Checksums-Sha256:
29325f8a888ea5961086f06e86004748a3c03e6e95b7ac04f1031ef17fc58789 2592
golang-github-go-jose-go-jose.v3_3.0.3-3.dsc
219d024b85ea217ac466c4ced46e2071d6ea52269d399b610723b7c905c0f8a5 320882
golang-github-go-jose-go-jose.v3_3.0.3.orig.tar.gz
2cdaae4c84c321e6ba93ddf49c19a4524bc0b7552c2487c77a828d1f4bdeb84b 5280
golang-github-go-jose-go-jose.v3_3.0.3-3.debian.tar.xz
77fb2acae68dd5d73ac41554803bfbf9110e832254e660cee23274d78a10fb54 271744
golang-github-go-jose-go-jose.v3-dev_3.0.3-3_all.deb
0c924f33e59e99cd0d219ac45ba177b1ab144bd47d6cf91b398c90d0c4f9fc52 6934
golang-github-go-jose-go-jose.v3_3.0.3-3_amd64.buildinfo
Files:
f286c04dbab319d2bbd16e4e2c1842a2 2592 golang optional
golang-github-go-jose-go-jose.v3_3.0.3-3.dsc
47ef70abbab75a9ac618ed8d096ed888 320882 golang optional
golang-github-go-jose-go-jose.v3_3.0.3.orig.tar.gz
7bff567cf6d7d9a399533183e65bc9b1 5280 golang optional
golang-github-go-jose-go-jose.v3_3.0.3-3.debian.tar.xz
98b6b261d2d98b507ac045e7706848b7 271744 golang optional
golang-github-go-jose-go-jose.v3-dev_3.0.3-3_all.deb
0fd42df084e686405e0973248092c388 6934 golang optional
golang-github-go-jose-go-jose.v3_3.0.3-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmZcYh0UHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJstOthAAtt4QiYZMOWaRB1w1Sk+PiHOwMhGJ
2iBp/FzT6FgDz+dwi2qf3dK5v/lIClPfxQYQ/HKy7NAZacvNyzIjYvxAAl5nwFB1
ebHr5WJRgzJAv87/2hA8ZbPs3fk2PadBRAjVxiEZFKBzPV9sy8mrcmOL2SdFiUhD
ti4mYlCnwjdOcgIInrPZUXeM0+dj1/rsLGocyfQGsQ+K7+BrTkx4l1vm72lbyVK/
e7pXfekfSdhRG1DoOAK2eLFKPKJPUtPPPt+lztMfLnCYMf4FI4zGWJNCUJvpuR19
dKD8k7pEz8wrGirSS21aSKGR2dVpBcOB8AYGSehp93d6A+UGsQgYRIQ/TSi7RblV
C/IzU7SD+km9P1j9S2Mba9mj+LjDM60GnTw9vuVadQApOjwFvuJTyT89cB5K26m1
hQ9J8NDoi63e8CgAPzgC9qlkqGoJtcgNqDIk9suUwIhocvqHYX2R0czPIeo2U50T
hZX3XKSfC16dqBYJQyPp6sHOJLXVSSA170iqIpYsbQFpijf4fKkii5fM8isDuEC9
esQwHTHCmkOsanyXrWWfoLQzaiEwzgkFBPgIuteFtlOi4EQpGh7Jdl7hAWKW9zG7
VRLmRiKUyzVBCqN55oKh54bAD5eBVhtcmFEsQb5cgqASuFbdy7Ml5155ptOnazQ3
qy6D8t1/lbs/Ers=
=DbNX
-----END PGP SIGNATURE-----
pgpbRQNLmSops.pgp
Description: PGP signature
--- End Message ---
