Hi Faidon, (cc'ing debian-go list since this affects several Go packages)
Faidon Liambotis <
paravoid@debian.org> writes:
Hi Simon,
On Fri, Feb 21, 2025 at 11:27:00PM +0000, Santiago Vila wrote:
During a rebuild of all packages in unstable, your package failed to build: >>
<snip>
verify_test.go:563: Verify failed with error: pkcs7: failed to
verify certificate chain: x509: certificate signed by unknown
authority (possibly because of "x509: cannot verify signature:
insecure algorithm SHA1-RSA" while trying to verify candidate
authority certificate "PKCS7 Test Intermediate Cert")
--- FAIL: TestSignWithOpenSSLAndVerify (0.01s)
I started looking into this issue because it's threatening autoremoval
of podman, by virtue of being in its reverse-dependency chain. I don't
know anything else about this package, nor have I made any uploads for
it.
While looking into, I noticed that it's abandonware upstream, started
looking around and finally ended up finding your comment at https://github.com/smallstep/pkcs7/issues/45 :)
From there I gather that:
a) you are already aware of this issue;
b) you've already worked around it for smallstep/pkcs7;
c) you're considering replacing fullsailor/pkcs7 with smallstep/pkcs7.
Gven all that It feels like perhaps you've intentionally haven't fixed
this fullsailor/pkcs7 bug, so I wanted to check with you before working
on it. I'd love to hear your thoughts on how to proceed!
I have uploaded golang-github-smallstep-pkcs7 to NEW:
https://ftp-master.debian.org/new.html
I am hoping that
1) the package will be approved by ftp-master's soon, and
2) that we can patch all build dependencies of
golang-github-fullsailor-pkcs7 and golang-github-digitorus-pkcs7 to use golang-github-smallstep-pkcs7 instead
3) Lobby for upstreams to use golang-github-smallstep-pkcs7 instead.
4) Don't ship golang-github-fullsailor-pkcs7 and
golang-github-digitorus-pkcs7 with trixie at all.
I have not started working on 2) and would appreciate help on it.
If there is a show stopper here and there is some package that cannot be
built against golang-github-smallstep-pkcs7 instead, then my plan won't
work out. Given the response in
https://github.com/smallstep/pkcs7/issues/45 I have hopes this will work though, and that they are co-operative to fix things to make it easier
to accomplish.
If you want to fix golang-github-fullsailor-pkcs7 and golang-github-digitorus-pkcs7 in Debian now, to avoid auto-removal
threats, I think doing so in parallel is fine. I didn't do it due to
lack of time, and prefering to focus on the long-term better approach
instead.
/Simon
-----BEGIN PGP SIGNATURE-----
iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmfLIBEUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgIBQkLehFUAAoJENc89jjFPAa+CboA +wUa06RD5e5VTCxvSWtPS75Wq2qBeYGZnf0jvUMxa2n4AP4xkUeAPPnNuMsTm2fs FCDIGaEM2Yn6Vb2huzzT1Fw/BLgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZf2IKwUJC3oQqgCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+GcYA/26YQY05bLtnXiIjTiAzrGQrRXxTHPA8Av7TDFHvIetWAP9s HSoU8OfTwmTiEnGwLlsV7QJclZg3YNz/Ypcp9TqQBrg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgwBQkLehDGAAoJENc89jjF PAa+phoA/jrDqIrl/55vUMBhIQv+TP635d2iCTEnyFmbUcP9+gh6APoDsXalVd2c OGxQtSC+TF8PkZMn1TLkJKAjVxr+xx40AgAKCRBRcisI/kdFouPqAP4ri6Nfb8xU Mq5rzqcUJAUHkmj/oyiVWWBx5Vrm8FqEiAEAzgj4CQPGSMBV88xrN09+UOqNuBMj NmveSeTNlZV86Ao=
=P8Bw
-----END PGP SIGNATURE-----
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)