On Tue, Jan 16, 2024 at 4:28 AM Simon Josefsson <si...@josefsson.org> wrote: > > Shengjing Zhu <z...@debian.org> writes: > > > On Mon, Jan 15, 2024 at 8:51 PM Simon Josefsson <si...@josefsson.org> wrote: > >> > >> Package: wnpp > >> Severity: wishlist > >> Owner: Simon Josefsson <si...@josefsson.org> > >> > >> * Package name : golang-github-adamkorcz-go-fuzz-headers-1 > >> Version : 0.0~git20230919.8b5d3ce-1 > >> Upstream Author : Adam Korcz <a...@adalogics.com> > >> * URL : https://github.com/AdamKorcz/go-fuzz-headers-1 > >> * License : Apache-2.0 > >> Programming Lang: Go > >> Description : helper functions for Go fuzzing (library) > >> > >> Various helper functions for go fuzzing. It is mostly used in combination > >> with go-fuzz (https://github.com/dvyukov/go-fuzz), but compatibility with > >> fuzzing in the standard library will also be supported. Any coverage > >> guided > >> fuzzing engine that provides an array or slice of bytes can be used with > >> go-fuzz-headers. > >> . > >> go-fuzz-headers' approach to fuzzing structs is strongly inspired by > >> gofuzz (https://github.com/google/gofuzz). > >> > >> I hope to maintain this package as part of Debian Go Packaging Team: > >> > >> https://salsa.debian.org/go-team/packages/golang-github-adamkorcz-go-fuzz-headers-1/ > >> > > > > Usually we don't run fuzz test when building packages, because it > > would waste a lot of buildd resource. > > > > In theory we don't need any fuzz related libraries. But upstream may > > mix their unit tests and fuzz tests in one source file, which makes it > > difficult to strip such tests and their libraries. > > The Go compiler by default wouldn't run fuzz tests. > > > > For packaging rekor, I think all these fuzz tests can be stripped by > > file names. It seems upstream just puts all fuzz tests in > > "fuzz_test.go". > > What is the best method to modify rekor to not need this dependency? > > If rekor can work without this package, I'm happy to avoid packaging it, > although it is already in NEW. > > Looking at code, it seems to be used here: > > go.sum:github.com/AdamKorcz/go-fuzz-headers-1 > v0.0.0-20230618160516-e936619f9f18 > h1:rd389Q26LMy03gG4anandGFC2LW/xvjga5GezeeaxQk= > go.sum:github.com/AdamKorcz/go-fuzz-headers-1 > v0.0.0-20230618160516-e936619f9f18/go.mod > h1:fgJuSBrJP5qZtKqaMJE0hmhS2tmRH+44IkfZvjtaf1M= > hack/tools/go.sum:github.com/AdamKorcz/go-fuzz-headers-1 > v0.0.0-20230329111138-12e09aba5ebd > h1:1tbEqR4NyQLgiod7vLXSswHteGetAVZrMGCqrJxLKRs= > hack/tools/go.sum:github.com/AdamKorcz/go-fuzz-headers-1 > v0.0.0-20230329111138-12e09aba5ebd/go.mod > h1:0vOOKsOMKPThRu9lQMAxcQ8D60f8U+wHXl07SyUw0+U= > hack/tools/tools.go: _ "github.com/AdamKorcz/go-fuzz-headers-1" > hack/tools/go.mod: github.com/AdamKorcz/go-fuzz-headers-1 > v0.0.0-20230329111138-12e09aba5ebd > pkg/types/hashedrekord/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/rpm/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/alpine/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/alpine/fuzz_test.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/cose/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/jar/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/rekord/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/intoto/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/intoto/v0.0.2/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/tuf/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/helm/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/dsse/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/types/rfc3161/v0.0.1/fuzz_test.go: fuzz > "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/fuzz/alpine_utils.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/fuzz/fuzz_utils.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" > pkg/fuzz/jar_utils.go: fuzz "github.com/AdamKorcz/go-fuzz-headers-1" > go.mod: github.com/AdamKorcz/go-fuzz-headers-1 > v0.0.0-20230618160516-e936619f9f18 > > Would we have to patch all of these files? Or disable building them > somehow? >
Just remove these files, either via Files-Excluded in debian/copyright, or rm in builddir in debian/rules. > Let's see if we can develop a workaround before ftp-master approves the > packages... otherwise maybe it doesn't hurt to use it anyway, and may > save us time maintaining patches. > > /Simon -- Shengjing Zhu