Hello Nicholas, On 11/12/21 20:07, Nicholas D Steeves wrote:
Please keep me in the loop, and if you have time please share your analysis; anarcat often encourages me to do this "for posterity" and so others can learn. Also it might also be nice to add a point to our wiki about how to resolve this type of case--if you'd prefer I can reformat your future rationale, submit it to you for review, and update the article.
Actually I have think a bit about it there was another solution: Can we downgrade the github.com/shirou/disk version in Syncthing? How much changes would that induce? The response is: almost nothing. The major bump of the library haven't change a lot of changes in the way we are using the module. See: https://github.com/syncthing/syncthing/compare/v1.18.0...creekorful:creekorful/debian-backport So I've follow the easiest and less impactful way. We should still bump golang-github-shirou-disk to v3 later on, but we can take our time (exp upload?) so we make sure we won't break anything. The others options were: - Bump golang-github-shirou-disk to v3 . Pros: - Only one package on the archive. - Make sure we are using latest version of the library, with bugfixes and new features. - Will also improve the other packages. . Cons: - Lots of work (and syncthing will be RM from testing soonish) - Possibly lot of breakages, need coordination, etc... - Introduce new golang-github-shirou-disk-v3 . Pros: - Don't break anything. - Make sure we use the same code as upstream does. . Cons: - Duplicate package on the archive. - Make security team work harder. - Still need to RM old package and make everyone use newest version. This is certainly opinionated and I'm certainly wrong on certain point, but that's how I see the situation. Cheers,
Best, Nicholas
-- Aloïs Micard (creekorful) <al...@micard.lu> GPG: DA4A A436 9BFA E299 67CD E85B F733 E871 0859 FCD2
OpenPGP_signature
Description: OpenPGP digital signature
