Otto Kekäläinen <o...@debian.org> writes: > Hi, > > The go-tuf version string 2.0.2+0.7.0-1 seems cryptic. How is the > package lifecycle planned to go if it actually contains the same > package twice?
If a new release on either branch happens, the package is updated. > Would it not be much simpler to just have two source packages in > Debian, just like all other packages that have multiple versions? I'm open to ideas on how to improve things here, but the situation is messy, and hopefully also transitory. Having two source packages would not help: the problem is that upstream has file conflicts, so if there are two Debian source packages with one binary Debian package each, they would put files at the same location in /usr and would thus have to Conflict. But there are packages (e.g., cosign) that ultimately Build-Depends on both, so both has to be installed at the same time. Upstreams are working on migrating uses of the TUF v0 API to TUF v2, but it seems they have other more urgent matters to work on too. I have been hoping to see progress in the last 2-3 months, but I'm lowering my expectations. For what's its worth, both APIs are fully supported today and are expected to be covered by security support for many years. I resolved this by putting the v0 source code into the v2 package as a separate component AND moving the v0 files into a separate path. All consumers of this special go-tuf v0+v2 package in Debian needs special patches to find the v0 namespace. I don't think there is any way around that (although I'd be happy to learn one). Hopefully we can eventually just drop the v0 part from this source package and the migration is complete, and maybe it will happen in a relatively short time frame, but we don't know. /Simon
signature.asc
Description: PGP signature
