Hi, and thanks for the report, and sorry for delay in noticing this. Cc
to debian-go since solving this may involve some co-ordination and could
use the attention of someone more knowledgeable.

These two packages have the same upstream! I'm not sure that was known
before.

The golang-github-smallstep-crypto package name seems like the proper
name, and it has version 0.57.0 which is newer than golang-step-crypto's 0.24.0. So I suggest we migrate to the proper package name, and remove golang-step-crypto from the archive. Thoughts on that?

The reverse dependencies for golang-step-crypto is:

golang-github-smallstep-certificates: golang-github-smallstep-certificates-dev golang-step-cli-utils: golang-step-cli-utils-dev

The first one is not in testing, and I assume that its new upstream
version works well with golang-github-smallstep-crypto 0.57.0 so should probably be easy to migrate to golang-github-smallstep-crypto.
Uploading this shouldn't interrupt anything, I think.

The second one is in testing so let's think about how to deal with it.
I'm not sure changing that package would count as a transition?

If anyone has ideas on how to do short-term quick fix or workaround, or
even better long-term improvements, feel free to propose patches or do
uploads.

/Simon

Helmut Grohne <helmut@subdivi.de> writes:

Attempting to coinstall golang-step-crypto-dev and golang-github-smallstep-crypto-dev results in an error.

mmdebstrap --variant=apt --verbose '' /dev/null 'deb http://deb.debian.org/debian unstable main' --include=golang-github-smallstep-crypto-dev,golang-step-crypto-dev

Preparing to unpack .../41-golang-step-crypto-dev_0.24.0-2_all.deb ... Unpacking golang-step-crypto-dev (0.24.0-2) ...
dpkg: error processing archive /tmp/apt-dpkg-install-P5cn1U/41-golang-step-crypto-dev_0.24.0-2_all.deb (--unpack):
trying to overwrite '/usr/share/gocode/src/go.step.sm/crypto/fingerprint/fingerprint.go', which is also in package golang-github-smallstep-crypto-dev (0.57.0-1)
Errors were encountered while processing:
/tmp/apt-dpkg-install-P5cn1U/41-golang-step-crypto-dev_0.24.0-2_all.deb

There are many more files below /usr/share/gocode/src/go.step.sm/crypto affected. Could it be that these packages duplicate each other?

Please figure out which package is at fault and correctly reassign the
bug (such that QA can still associate it with the problem):

Control: reassign -1 $PACKAGE1
Control: affects -1 + $PACKAGE2

Helmut

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmfs7xgUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFokBDAP9j2Z2+PB68 HkhAiYoyqk+BBodtQWd4XKu8xMF4AsxuogD/ddNsjGKI6HWJshIS26RZSSfLw9og NphFn+Ptrf5c0gw=
=TsTx
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

A short-term fix to resolve the RC bug may be to simply add a
'Conflicts: golang-step-crypto-dev' to
golang-github-smallstep-crypto-dev? Or is there a need to be able to co-install these two packages?

Meanwhile I looked into updating golang-github-smallstep-certificates to
latest version and ran into what I think is a build dependency issue
with golang-step-linkedca which would needs a package rename/reupload to
get the latest version. The name name ought to be golang-github-smallstep-linkedca instead which is the new namespace. It
seems most if not all of go.step.sm moved to github.com/smallstep
namespace. I doubt we can finish that transition before trixie though.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmfs9kgUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFoiDZAQC+GBsQdj3K y/EpuAJJzaJkpKmqTaVqaOHR6G0F1MAf7gEAro76zRFzq18xKB4iLCCmTuVMiGmX YIFdMnOsxmmgAQM=
=Feea
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le lun. 7 avr. 2025 à 02:00, Jérémy Lal <kapouer@melix.org> a écrit :

Le mer. 2 avr. 2025 à 10:39, Simon Josefsson <simon@josefsson.org> a
écrit :

A short-term fix to resolve the RC bug may be to simply add a
'Conflicts: golang-step-crypto-dev' to
golang-github-smallstep-crypto-dev? Or is there a need to be able to
co-install these two packages?

Meanwhile I looked into updating golang-github-smallstep-certificates to
latest version and ran into what I think is a build dependency issue
with golang-step-linkedca which would needs a package rename/reupload to
get the latest version. The name name ought to be
golang-github-smallstep-linkedca instead which is the new namespace. It
seems most if not all of go.step.sm moved to github.com/smallstep
namespace. I doubt we can finish that transition before trixie though.

I had a look at another approach, just upgrading the dependency to golang-github-smallstep-crypto-dev
for these two packages:
- golang-step-cli-utils: all fine, level1
- golang-github-smallstep-certificates: level 2, needs the previous one rebuilt first, and the attached patch.
There are probably mistakes in that patch.

Now that that patch passes the test suite by borrowing from upstream fixes,
and that "caddy" also builds fine with them, I'm going to do as advertised.

<div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le lun. 7 avr. 2025 à 02:00, Jérémy Lal &lt;<a href="mailto:kapouer@melix.org" target="_blank">kapouer@melix.org</a>&gt; a écrit :
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="
gmail_attr">Le mer. 2 avr. 2025 à 10:39, Simon Josefsson &lt;<a href="mailto:simon@josefsson.org" target="_blank">simon@josefsson.org</a>&gt; a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">A short-term fix to resolve the RC bug may be to simply add a<br>
&#39;Conflicts: golang-step-crypto-dev&#39; to<br> golang-github-smallstep-crypto-dev?  Or is there a need to be able to<br> co-install these two packages?<br>

Meanwhile I looked into updating golang-github-smallstep-certificates to<br> latest version and ran into what I think is a build dependency issue<br>
with golang-step-linkedca which would needs a package rename/reupload to<br> get the latest version.  The name name ought to be<br> golang-github-smallstep-linkedca instead which is the new namespace.  It<br> seems most if not all of <a href="http://go.step.sm" rel="noreferrer" target="_blank">go.step.sm</a> moved to <a href="http://github.com/smallstep" rel="noreferrer" target="_blank">github.com/smallstep</a><br>
namespace.  I doubt we can finish that transition before trixie though.</blockquote><div><br></div><div><span style="color:rgb(0,0,0)">I had a look at another approach, just upgrading the dependency to </span>golang-github-smallstep-crypto-dev </div><

for these two packages:</div><div><span style="color:rgb(0,0,0)">- golang-step-cli-utils: all fine, level1</span></div><div>- golang-github-smallstep-certificates: level 2, needs the previous one rebuilt first, and the attached patch.</div><div>

There are probably mistakes in that patch.</div></div></div></div></div></blockquote><div><br></div><div>Now that that patch passes the test suite by borrowing from upstream fixes,</div><div>and that &quot;caddy&quot; also builds fine with them, I&#39;m
going to do as advertised.</div></div></div>
</div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Jérémy Lal <kapouer@melix.org> writes:

I had a look at another approach, just upgrading the dependency to
golang-github-smallstep-crypto-dev
for these two packages:
- golang-step-cli-utils: all fine, level1
- golang-github-smallstep-certificates: level 2, needs the previous one
rebuilt first, and the attached patch.
There are probably mistakes in that patch.

Now that that patch passes the test suite by borrowing from upstream fixes, and that "caddy" also builds fine with them, I'm going to do as advertised.

Thank you! Some observations - tl;dr: I suggest to remove golang-step-crypto-dev from the archive as discussed in 1) below, and
for us to ignore issue 2) + 3) below, even though they warrant more consideration.

1) Now there are no reverse dependencies on golang-step-crypto-dev any
more, so I think we could ask for removal of that package from the
archive which would resolve https://bugs.debian.org/1100967

jas@kaka:~/dpkg/golang-github-smallstep-crypto$ ssh mirror.ftp-master.debian.org "dak rm -Rn -b golang-step-crypto-dev"
Will remove the following packages from unstable:
golang-step-crypto-dev | 0.24.0-2 | all
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org> ------------------- Reason ------------------- ----------------------------------------------
Checking reverse dependencies...
No dependency problem found.
jas@kaka:~/dpkg/golang-github-smallstep-crypto$

2) However I realized I was wrong in my comment in https://bugs.debian.org/1100967#10 about which package name is the
"proper" one. Upstream's go.mod namespace is still go.step.sm/crypto
even in latest upstream master:

https://github.com/smallstep/crypto/blob/master/go.mod

So then the "correct" package name in Debian really ought to be "golang-step-crypto" after all.... sigh. Should we upload
golang-step-crypto v0.60.0 and migrate all dependencies back to the
proper name, and then remove golang-github-smallstep-crypto?

Naming policy:

https://go-team.pages.debian.net/packaging.html#_naming_conventions_2

What was missing there for me was the definition of the term "import
path", which I now take to mean the 'module FOO' line in go.mod. I
probably confused it with the source code hosting site before.

3) Upstream namespace go.step.sm/* has been renamed to
github.com/smallstep/* for many (most?) other smallstep packages, and I
had expected this to happen to go.step.sm/crypto as well. I found this
bug report that discuss it:

https://github.com/smallstep/crypto/issues/579

So it may be that shortly the right name is actually the one we have
already prematurely migrated to. Given that there are no reverse
dependencies on golang-step-crypto-dev now, I think the simplest way out
of this mess is to ask for that package to be dropped.

/Simon

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmf2kWsUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFotxzAQC3ICX1YK++ +Vn/ELpHk2ntt7+/bUpiubCRrLD1HFuCyAEA8qBfuEI396ujS7WBHLoG61hI0GgM x5YO8raUc4mkJQ8=Nl65
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Jérémy Lal <kapouer@melix.org> writes:

1) Now there are no reverse dependencies on golang-step-crypto-dev any
more, so I think we could ask for removal of that package from the
archive which would resolve https://bugs.debian.org/1100967

jas@kaka:~/dpkg/golang-github-smallstep-crypto$ ssh
mirror.ftp-master.debian.org "dak rm -Rn -b golang-step-crypto-dev"
Will remove the following packages from unstable:
golang-step-crypto-dev | 0.24.0-2 | all
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
------------------- Reason -------------------
----------------------------------------------
Checking reverse dependencies...
No dependency problem found.
jas@kaka:~/dpkg/golang-github-smallstep-crypto$

To be careful, the golang-step-crypto-dev should be removed after all its previous rdeps have migrated to testing.

I think this is the case now:

jas@kaka:~/dpkg/golang-gitlab-gitlab-org-api-client-go$ ssh mirror.ftp-master.debian.org "dak rm -Rn -b -s=testing golang-step-crypto-dev"
Will remove the following packages from testing:
golang-step-crypto-dev | 0.24.0-2 | all
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org> ------------------- Reason ------------------- ----------------------------------------------
Checking reverse dependencies...
No dependency problem found. jas@kaka:~/dpkg/golang-gitlab-gitlab-org-api-client-go$

What do you think about reassigning this bug report to ftp.debian.org
and renaming subject to:

RM: golang-step-crypto-dev -- RoM; not used, replaced by golang-github-smallstep-crypto

Once golang-step-crypto-dev is removed from testing/unstable, the
original problem in this bug report should be resolved.

I'm not sure about severity. Technically this is a RC bug in both of
these packages, but the solution to the RC problem is to remove one of
the packages. But I doubt the ftp.debian.org maintainers would regard
this as a RC bug for them? Maybe it is acceptable to lower the severity
hoping the package will be removed soon. But if the removal doesn't
happen soon, it feels weird to have RC buggy packages without a proper
RC bug on them. Helmut, do you have any preference/recommendation? If
someone who understands the bug tracker better than I could do the
rename that would be appreciated.

https://github.com/smallstep/crypto/issues/579

...

Once golang-step-crypto-dev has been removed, whatever the right name
will be can be provided by golang-github-smallstep-crypto ?
If there is no urgency to do that before Trixie, let's not change things right now ?

Yes, let's not do anything more about this -- the upstream issue above
suggests that the package name we keep will be the right one in the
future. There are never promises that will really happen, but it seems
there is a lot of work to revert this for no particular advantage except compliance with Go team naming policy. It seems more reasonable to
treat this as an exception, pending upstream rename transition finishes.

/Simon

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmf4ycYUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFoppCAP4vLFXvawZR awrcmDzXEJo7HynhvCqfwET5xD/rBuZvkQD+Jh0OfnvSZpwcEoM+spJFZLGyz9fu 8kJbl6Z0BK6X2Qc=uqO0
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Jérémy Lal <kapouer@melix.org> writes:

To avoid the odd-ness of assigning a RC bug to ftp.debian.org,
I'd rather create a new Removal Request, then block 1100967 with it ?

Of course, thank you!

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102636

/Simon

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmf43XIUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFouO+AP40vUjOd4Co ewf/JiGLqcUy+VbqX5cCy2HzMhc2O0CkjQEArv0e2YTpEPP9cjx5fHnt6KvATznF byqt+hOSU8jcJwo=+468
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le ven. 11 avr. 2025 à 21:09, Shengjing Zhu <zhsj@debian.org> a écrit :

On Wed, Apr 9, 2025 at 11:26 PM Simon Josefsson <simon@josefsson.org> wrote:

Thank you! Some observations - tl;dr: I suggest to remove golang-step-crypto-dev from the archive as discussed in 1) below, and
for us to ignore issue 2) + 3) below, even though they warrant more consideration.

1) Now there are no reverse dependencies on golang-step-crypto-dev any more, so I think we could ask for removal of that package from the
archive which would resolve https://bugs.debian.org/1100967

[...]

2) However I realized I was wrong in my comment in https://bugs.debian.org/1100967#10 about which package name is the
"proper" one. Upstream's go.mod namespace is still go.step.sm/crypto
even in latest upstream master:

https://github.com/smallstep/crypto/blob/master/go.mod

So then the "correct" package name in Debian really ought to be "golang-step-crypto" after all.... sigh. Should we upload golang-step-crypto v0.60.0 and migrate all dependencies back to the
proper name, and then remove golang-github-smallstep-crypto?

Sorry for the late reply. But I think it can be better handled.

We can just update golang-step-crypto to 0.57.0-1 and make golang-github-smallstep-crypto-dev as a transitional package.

I prefer we keep the correct package name, aka golang-step-crypto.

That solution could be done before soft freeze.

<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Le ven. 11 avr. 2025 à 21:09, Shengjing Zhu &lt;<a href="mailto:zhsj@debian.org">zhsj@debian.org</a>&gt; a écrit :<br></div><
blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Apr 9, 2025 at 11:26 PM Simon Josefsson &lt;<a href="mailto:simon@josefsson.org" target="_blank">simon@josefsson.org</a>&gt;
wrote:<br>

&gt; Thank you!  Some observations - tl;dr: I suggest to remove<br>
&gt; golang-step-crypto-dev from the archive as discussed in 1) below, and<br> &gt; for us to ignore issue 2) + 3) below, even though they warrant more<br> &gt; consideration.<br>
&gt;<br>
&gt; 1) Now there are no reverse dependencies on golang-step-crypto-dev any<br> &gt; more, so I think we could ask for removal of that package from the<br> &gt; archive which would resolve <a href="https://bugs.debian.org/1100967" rel="noreferrer" target="_blank">https://bugs.debian.org/1100967</a><br>
&gt;<br>
[...]<br>
&gt;<br>
&gt; 2) However I realized I was wrong in my comment in<br>
&gt; <a href="https://bugs.debian.org/1100967#10" rel="noreferrer" target="_blank">https://bugs.debian.org/1100967#10</a> about which package name is the<br>
&gt; &quot;proper&quot; one.  Upstream&#39;s go.mod namespace is still <a href="http://go.step.sm/crypto" rel="noreferrer" target="_blank">go.step.sm/crypto</a><br>
&gt; even in latest upstream master:<br>
&gt;<br>
&gt; <a href="https://github.com/smallstep/crypto/blob/master/go.mod" rel="noreferrer" target="_blank">https://github.com/smallstep/crypto/blob/master/go.mod</a><br>
&gt;<br>
&gt; So then the &quot;correct&quot; package name in Debian really ought to be<br>
&gt; &quot;golang-step-crypto&quot; after all.... sigh.  Should we upload<br> &gt; golang-step-crypto v0.60.0 and migrate all dependencies back to the<br> &gt; proper name, and then remove golang-github-smallstep-crypto?<br>

Sorry for the late reply. But I think it can be better handled.<br>

We can just update golang-step-crypto to 0.57.0-1 and make<br> golang-github-smallstep-crypto-dev as a transitional package.<br>

I prefer we keep the correct package name, aka golang-step-crypto.</blockquote><div><br></div><div>That solution could be done before soft freeze.</div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)