Hi Regarding golang-github-jackc-pgx
https://tracker.debian.org/pkg/golang-github-jackc-pgx it seems stuck at v4 which has some open security bugs (although they are resolved in v4.18.2). I also noticed that trillian 1.7.0 started to use v5 as a build dependency. Do you have any thoughts on how to best move forward with this package? Do we want this package to remain at v4? Then we likely need another package that provides v5 eventually. Could we move all v4 users up to v5? The reverse dependencies are: cloudsql-proxy: golang-github-googlecloudplatform-cloudsql-proxy-dev crowdsec: golang-github-crowdsecurity-crowdsec-dev gitaly: golang-gitlab-gitlab-org-gitaly-dev golang-github-jackc-pgtype: golang-github-jackc-pgtype-dev Could we do a v4+v5 dual source package? We could add a new source component with the v5 source and then build it and ship a binary package 'golang-github-jackc-pgx-v5-dev' binary package. The packaging will be complicated, but this is a possible way forward. Look at https://tracker.debian.org/pkg/golang-github-theupdateframework-go-tuf for inspiration, it ships v0 and v2 branches at the same time. I think this package is cleaner: they separate the APIs with v4/ and v5/ name-spaces, so no name conflict. Other ideas? /Simon
signature.asc
Description: PGP signature
