Bug#1011665: Newer releases are available

[Marco d'Itri]

Package: crowdsec
Version: 1.0.9-4
Severity: wishlist

The currently packaged release is over one year old.

https://github.com/crowdsecurity/crowdsec/releases/

--
ciao,
Marco

[Cyril Brulebois]

Hi Marco,

Marco d'Itri <m...@linux.it> (2022-05-26):

> The currently packaged release is over one year old.
>
> https://github.com/crowdsecurity/crowdsec/releases/

I'm working on the many modules that are required for newer releases,
and checking how upgrades are affecting existing packages and their
reverse dependencies.


Cheers,
--
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/

[Cyril Brulebois]

Hi,

I've been preparing an updated crowdsec package, and here's a new batch
of new or updated packages that are needed for the v1.4.x branch. Please
let me know if you have any concerns or comments regarding that bunch of
packages. I've split it into several lists to ease reviewing them.

I would expect people not to care too much about the first list; but
maybe maintainers of the existing packages (second and third lists) have
an opinion about my plans.


New packages:
-------------

- golang-ariga-atlas
+ required by golang-entgo-ent
- golang-entgo-ent
+ required by crowdsec
+ replaces golang-github-facebook-ent
- golang-github-alexliesenfeld-health
+ required by crowdsec
- golang-github-c-robinson-iplib
+ required by crowdsec
- golang-github-confluentinc-bincover
+ required by crowdsec
- golang-github-crowdsecurity-dlog
+ required by crowdsec
- golang-github-crowdsecurity-grokky
+ required by crowdsec
+ replaces golang-github-logrusorgru-grokky
- golang-github-crowdsecurity-machineid
+ required by crowdsec
- golang-github-jszwec-csvutil
+ required by crowdsec
- golang-github-r3labs-diff
+ required by crowdsec
- golang-github-slack-go-slack
+ required by crowdsec


New -vN packages:
-----------------

- golang-github-apparentlymart-go-textseg-v13
+ required by (updated) golang-github-zclconf-go-cty
+ upstream documents using the /v13 path in `go get`, go.mod, etc.
+ golang-github-apparentlymart-go-textseg-dev has a few reverse
dependencies in main
+ a few patches were needed to support Unicode 13 / Go 1.19, so
using a new -v13 package seems safer than trying to switch the
existing versionless package to a new upstream release; some
users of /v12 are actually shipping vendorized hashicorp/hcl,
so I'm not sure we could fix anything even if we wanted to…
(see nomad* and packer further down).
- golang-github-hashicorp-hcl-v2
+ required by golang-ariga-atlas
+ golang-github-hashicorp-hcl-dev has 98 reverse dependencies in
main, so keeping the existing versionless package and introducing a
-v2 looks much safer!
+ will likely be beneficial to others, since hashicorp/hcl is
currently stuck at 1.0.0, and hashicorp/hcl/v2 is vendorized by
other packages…


Updated packages:
-----------------

- golang-github-gin-gonic-gin
+ required by crowdsec
+ update from 1.6.3 to 1.8.1
+ ratt is fine except:
- crowdsec:
+ I'm working on its update, the old version doesn't count!
- golang-gitlab-gitlab-org-labkit:
+ already RC-buggy: #1021583 (FTBFS)
- golang-nhooyr-websocket:
+ package confusion, fixed in 1.8.7-3
https://salsa.debian.org/go-team/packages/golang-nhooyr-websocket/-/commit/e00ff53
- nomad:
+ already RC-buggy: #1000441 (FTBFS), #1021273 (many CVEs),
#994214 (FTBFS)
- prometheus:
+ already RC-buggy: #1020145 (FTBFS)
- golang-github-zclconf-go-cty
+ required by golang-github-hashicorp-hcl-v2
+ update from 1.5.1 to 1.11.0
+ ratt is fine except:
- nomad:
+ already RC-buggy: #1000441, #1021273, #994214
+ additionally, undocumented (build-)dep on
golang-github-apparentlymart-go-textseg, which is going to be
exposed by golang-github-zclconf-go-cty moving to the -v13
package: #1021650
- nomad-driver-podman:
+ RC-buggy, outdated
+ additionally, undocumented (build-)dep on
golang-github-apparentlymart-go-textseg, via nomad and its
golang-github-hashicorp-nomad-dev (#1021650): #1021652
- packer
+ undocumented (build-)dep on
golang-github-apparentlymart-go-textseg, which is going to be
exposed by golang-github-zclconf-go-cty moving to the -v13
package: #1021654
+ This one can be fixed (right now) since it doesn't otherwise
FTBFS.


In summary, updating those two packages would break a little more
existing packages that are already RC-buggy; and that “extra breakage”
would only be about exposing existing issues (hidden by accident) for
which trivial patches aren't sufficient due to other, more important
issues. The following bug reports would get a severity bump from
important to serious after golang-github-zclconf-go-cty is uploaded:
#1021650 (nomad), #1021652 (nomad-driver-podman), #1021654 (packer);
even if I'm about to fix the last one in advance.

[Shengjing Zhu]

Hi,

On Wed, Oct 12, 2022 at 6:30 PM Cyril Brulebois <cy...@debamax.com> wrote:
> New -vN packages:
> -----------------
>
> - golang-github-apparentlymart-go-textseg-v13
> + required by (updated) golang-github-zclconf-go-cty
> + upstream documents using the /v13 path in `go get`, go.mod, etc.
> + golang-github-apparentlymart-go-textseg-dev has a few reverse
> dependencies in main
> + a few patches were needed to support Unicode 13 / Go 1.19, so
> using a new -v13 package seems safer than trying to switch the
> existing versionless package to a new upstream release; some
> users of /v12 are actually shipping vendorized hashicorp/hcl,
> so I'm not sure we could fix anything even if we wanted to…
> (see nomad* and packer further down).

Thanks for the detailed plan! All look good to me except this.
I think it can just bump to v13 without introducing new package. I'll
try today and if I fail I will let you know.

--
Shengjing Zhu

[Shengjing Zhu]

Uploaded golang-github-apparentlymart-go-textseg_13.0.0-1,
golang-github-zclconf-go-cty_1.5.1-4, and packer_1.6.6+ds1-5.

--
Shengjing Zhu

[Cyril Brulebois]

Shengjing Zhu <zh...@debian.org> (2022-10-12):

> On Wed, Oct 12, 2022 at 9:37 PM Shengjing Zhu <zh...@debian.org> wrote:
> > Thanks for the detailed plan! All look good to me except this.

Many thanks for the review and the few uploads!

> > I think it can just bump to v13 without introducing new package.
> > I'll try today and if I fail I will let you know.

Good catch!

I think I should have checked my numbers there, instead of staying with
the “there are a few tricky reverse dependencies” impression I got from
before I actually dug into the nomad* and packer packages…

There are indeed golang-github-zclconf-go-cty and packer you uploaded:

> Uploaded golang-github-apparentlymart-go-textseg_13.0.0-1,
> golang-github-zclconf-go-cty_1.5.1-4, and packer_1.6.6+ds1-5.

but also the non-official reverse-dependencies that vendorize
hashicorp/hcl/v2 (nomad #1021650 and nomad-driver-podman #1021652),
which seemed like possibly problematic packages initially.

If all they need is golang-github-apparentlymart-go-textseg-dev added to
(Build-|)Depends, and a version bump (/v12 → /v13) in their codebase,
I'll push a patch in the BTS and in master for those.

Of course, since golang-github-zclconf-go-cty will stay with the
existing golang-github-apparentlymart-go-textseg-dev package, the
fallback of the update should be more limited than I anticipated
initially.

[Shengjing Zhu]

On Wed, Oct 12, 2022 at 11:05 PM Cyril Brulebois <cy...@debamax.com> wrote:
>
> Shengjing Zhu <zh...@debian.org> (2022-10-12):
> > On Wed, Oct 12, 2022 at 9:37 PM Shengjing Zhu <zh...@debian.org> wrote:
> > > Thanks for the detailed plan! All look good to me except this.
>
> Many thanks for the review and the few uploads!
>
> > > I think it can just bump to v13 without introducing new package.
> > > I'll try today and if I fail I will let you know.
>
> Good catch!
>
> I think I should have checked my numbers there, instead of staying with
> the “there are a few tricky reverse dependencies” impression I got from
> before I actually dug into the nomad* and packer packages…
>
> There are indeed golang-github-zclconf-go-cty and packer you uploaded:
>
> > Uploaded golang-github-apparentlymart-go-textseg_13.0.0-1,
> > golang-github-zclconf-go-cty_1.5.1-4, and packer_1.6.6+ds1-5.
>
> but also the non-official reverse-dependencies that vendorize
> hashicorp/hcl/v2 (nomad #1021650 and nomad-driver-podman #1021652),
> which seemed like possibly problematic packages initially.
>

They are already not in testing, so I'm just lazy enough to keep
investigating...

--
Shengjing Zhu

[Cyril Brulebois]

Cyril Brulebois <cy...@debamax.com> (2022-10-12):

All in NEW:

#1021716: ITP: golang-ariga-atlas
#1021721: ITP: golang-entgo-ent
#1021725: ITP: golang-github-alexliesenfeld-health
#1021720: ITP: golang-github-c-robinson-iplib
#1021717: ITP: golang-github-confluentinc-bincover
#1021715: ITP: golang-github-crowdsecurity-dlog
#1021718: ITP: golang-github-crowdsecurity-grokky
#1021724: ITP: golang-github-crowdsecurity-machineid
#1021719: ITP: golang-github-jszwec-csvutil
#1021722: ITP: golang-github-r3labs-diff

Uploaded to NEW, but dinstall is still running:

#1021741: ITP: golang-github-slack-go-slack

For the last one, I had failed to spot earlier work that seems to have
stalled a bit since then:
https://salsa.debian.org/go-team/packages/golang-github-slack-go-slack/-/issues/5#note_284108

I've taken the liberty to push the latest version, but I'll make sure
to credit Takuma Shibuya in a follow-up commit!

The package seems quite similar, and we encountered the same issue,
which I've filed upstream:
https://github.com/slack-go/slack/issues/1116

I'm very sorry, I only realized when creating the Salsa repository,
which failed because it existed already!

> New -vN packages:
> -----------------
>
> - golang-github-apparentlymart-go-textseg-v13
> + required by (updated) golang-github-zclconf-go-cty
> + upstream documents using the /v13 path in `go get`, go.mod, etc.
> + golang-github-apparentlymart-go-textseg-dev has a few reverse
> dependencies in main
> + a few patches were needed to support Unicode 13 / Go 1.19, so
> using a new -v13 package seems safer than trying to switch the
> existing versionless package to a new upstream release; some
> users of /v12 are actually shipping vendorized hashicorp/hcl,
> so I'm not sure we could fix anything even if we wanted to…
> (see nomad* and packer further down).

Dropped! Thanks to Shengjing Zhu's feedback, I'm sticking to the
unversioned golang-github-apparentlymart-go-textseg(-dev).

> - golang-github-hashicorp-hcl-v2
> + required by golang-ariga-atlas
> + golang-github-hashicorp-hcl-dev has 98 reverse dependencies in
> main, so keeping the existing versionless package and introducing a
> -v2 looks much safer!
> + will likely be beneficial to others, since hashicorp/hcl is
> currently stuck at 1.0.0, and hashicorp/hcl/v2 is vendorized by
> other packages…

In NEW as well:

#1021723: ITP: golang-github-hashicorp-hcl-v2

> Updated packages:
> -----------------
>
> - golang-github-gin-gonic-gin
> + required by crowdsec
> + update from 1.6.3 to 1.8.1
> + ratt is fine except:
> - crowdsec:
> + I'm working on its update, the old version doesn't count!
> - golang-gitlab-gitlab-org-labkit:
> + already RC-buggy: #1021583 (FTBFS)
> - golang-nhooyr-websocket:
> + package confusion, fixed in 1.8.7-3
> https://salsa.debian.org/go-team/packages/golang-nhooyr-websocket/-/commit/e00ff53
> - nomad:
> + already RC-buggy: #1000441 (FTBFS), #1021273 (many CVEs),
> #994214 (FTBFS)
> - prometheus:
> + already RC-buggy: #1020145 (FTBFS)

Final ratt check before uploading, only failures were:
- golang-gitlab-gitlab-org-labkit: #1021583
- nomad: multi-RC buggy.

Uploaded and accepted into unstable.

> - golang-github-zclconf-go-cty
> + required by golang-github-hashicorp-hcl-v2
> + update from 1.5.1 to 1.11.0
> + ratt is fine except:
> - nomad:
> + already RC-buggy: #1000441, #1021273, #994214
> + additionally, undocumented (build-)dep on
> golang-github-apparentlymart-go-textseg, which is going to be
> exposed by golang-github-zclconf-go-cty moving to the -v13
> package: #1021650
> - nomad-driver-podman:
> + RC-buggy, outdated
> + additionally, undocumented (build-)dep on
> golang-github-apparentlymart-go-textseg, via nomad and its
> golang-github-hashicorp-nomad-dev (#1021650): #1021652
> - packer
> + undocumented (build-)dep on
> golang-github-apparentlymart-go-textseg, which is going to be
> exposed by golang-github-zclconf-go-cty moving to the -v13
> package: #1021654
> + This one can be fixed (right now) since it doesn't otherwise
> FTBFS.

Since packer was fixed by Shengjing Zhu, the only failures are:
- nomad
- nomad-driver-podman

Uploaded and accepted into unstable.

Since we're sticking to the unversioned go-textseg package in go-cty,
we're still pulling the right package indirectly, but it would make
sense to fix the missing (build-)dependency anyway; and to switch the
import path from /v12 to /v13. I might do that but since those packages
are in a rather bad shape already, I might skip that entirely; I'll
update the bug reports (#1021650, #1021652) regarding what actually
happened on the go-textseg front (no new package).

> In summary, updating those two packages would break a little more
> existing packages that are already RC-buggy; and that “extra breakage”
> would only be about exposing existing issues (hidden by accident) for
> which trivial patches aren't sufficient due to other, more important
> issues. The following bug reports would get a severity bump from
> important to serious after golang-github-zclconf-go-cty is uploaded:
> #1021650 (nomad), #1021652 (nomad-driver-podman), #1021654 (packer);
> even if I'm about to fix the last one in advance.

Of course: please let me know if you spot any problems with all those
new repositories and all those uploads!