All This project:
https://tracker.debian.org/pkg/golang-github-digitorus-pkcs7 https://github.com/digitorus/pkcs7 is a fork of https://github.com/mozilla-services/pkcs7 which is Debianized in git but fortunately not uploaded into Debian: https://salsa.debian.org/go-team/packages/golang-mozilla-pkcs7 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990572 But we instead got this package: https://tracker.debian.org/pkg/golang-github-fullsailor-pkcs7 https://github.com/fullsailor/pkcs7 Both golang-github-digitorus-pkcs7 and golang-github-fullsailor-pkcs7 have similar FTBFS bug since Go 1.24 stopped accepting RSA with SHA1 signatures, even with GODEBUG=x509sha1=1: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098552 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098553 I noticed this bug report: https://github.com/fullsailor/pkcs7/issues/52 Which points to a fork that is maintained: https://github.com/smallstep/pkcs7 I prepared packaging of it: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098766 https://salsa.debian.org/go-team/packages/golang-github-smallstep-pkcs7 https://salsa.debian.org/jas/golang-github-smallstep-pkcs7/-/pipelines Unlike the others this one has seen commits even up to the last week, so it looks better maintained. But the RSA-SHA1 problem still exists. I brought this up with upstream, and hope to package it and continue see if maybe it can replace the other two packages in Debian: https://github.com/smallstep/pkcs7/issues/45 I worry about how to fix the FTBFS bugs for the two unmaintained forks we already have in Debian... of course we can patch out the self-tests, which probably is the simplest way forward here, but maybe we can get this fixed properly upstream and change all users to use the maintained fork instead. /Simon
signature.asc
Description: PGP signature
