Shengjing Zhu <z...@debian.org> writes: > On Mon, Jan 15, 2024 at 8:51 PM Simon Josefsson <si...@josefsson.org> wrote: >> >> Package: wnpp >> Severity: wishlist >> Owner: Simon Josefsson <si...@josefsson.org> >> >> * Package name : golang-github-adamkorcz-go-fuzz-headers-1 >> Version : 0.0~git20230919.8b5d3ce-1 >> Upstream Author : Adam Korcz <a...@adalogics.com> >> * URL : https://github.com/AdamKorcz/go-fuzz-headers-1 >> * License : Apache-2.0 >> Programming Lang: Go >> Description : helper functions for Go fuzzing (library) >> >> Various helper functions for go fuzzing. It is mostly used in combination >> with go-fuzz (https://github.com/dvyukov/go-fuzz), but compatibility with >> fuzzing in the standard library will also be supported. Any coverage guided >> fuzzing engine that provides an array or slice of bytes can be used with >> go-fuzz-headers. >> . >> go-fuzz-headers' approach to fuzzing structs is strongly inspired by >> gofuzz (https://github.com/google/gofuzz). >> >> I hope to maintain this package as part of Debian Go Packaging Team: >> >> https://salsa.debian.org/go-team/packages/golang-github-adamkorcz-go-fuzz-headers-1/ >> > > Usually we don't run fuzz test when building packages, because it > would waste a lot of buildd resource. > > In theory we don't need any fuzz related libraries. But upstream may > mix their unit tests and fuzz tests in one source file, which makes it > difficult to strip such tests and their libraries. > The Go compiler by default wouldn't run fuzz tests. > > For packaging rekor, I think all these fuzz tests can be stripped by > file names. It seems upstream just puts all fuzz tests in > "fuzz_test.go".
What is the best method to modify rekor to not need this dependency? If rekor can work without this package, I'm happy to avoid packaging it, although it is already in NEW. Looking at code, it seems to be used here: go.sum:github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18 h1:rd389Q26LMy03gG4anandGFC2LW/xvjga5GezeeaxQk= go.sum:github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18/go.mod h1:fgJuSBrJP5qZtKqaMJE0hmhS2tmRH+44IkfZvjtaf1M= hack/tools/go.sum:github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230329111138-12e09aba5ebd h1:1tbEqR4NyQLgiod7vLXSswHteGetAVZrMGCqrJxLKRs= hack/tools/go.sum:github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230329111138-12e09aba5ebd/go.mod h1:0vOOKsOMKPThRu9lQMAxcQ8D60f8U+wHXl07SyUw0+U= hack/tools/tools.go: _ "github.com/AdamKorcz/go-fuzz-headers-1" hack/tools/go.mod: github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230329111138-12e09aba5ebd pkg/types/hashedrekord/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/rpm/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/alpine/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/alpine/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/cose/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/jar/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/rekord/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/intoto/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/intoto/v0.0.2/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/tuf/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/helm/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/dsse/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/types/rfc3161/v0.0.1/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/fuzz/alpine_utils.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/fuzz/fuzz_utils.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" pkg/fuzz/jar_utils.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" go.mod: github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18 Would we have to patch all of these files? Or disable building them somehow? Let's see if we can develop a workaround before ftp-master approves the packages... otherwise maybe it doesn't hurt to use it anyway, and may save us time maintaining patches. /Simon
signature.asc
Description: PGP signature
