Package: wnpp Owner: Reinhard Tartler <siret...@tauware.de> Severity: wishlist
* Package name : golang-github-go-jose-go-jose.v3 Version : 3.0.3 Upstream Author : https://github.com/go-jose/go-jose * URL or Web page : https://github.com/go-jose/go-jose * License : Apache 2.0 Description : Implementation of JOSE standards (JWE, JWS, JWT) in Go (library) v3 branch I intend to re-upload go-jose v3 to sid While upstream really prefers projects to move to the v4 branch, that branch requires significant changes to applications. In Debian, we still have a number of packages depending on the v2 branch, which is out of maintenance. Moving them over to v3 is more expedient than waiting for upstreams to port over to v4. The two main changes from v3 to v4 are: - requires golang 1.21 - accepted 'alg' and 'enc' values in incoming JWT/JWEs need to be specified. In v3, go-jose would accept all implemented algorithms, which can cause issues. Going forward, software needs to be explicit what they accept. I came across this when looking at a CVE in buildah, noticing that ocicrypt is currently using the v2 branch in debian (!), whereas upstream is using the v4 branch. We currently have upgraded the package to v4 earlier this year, and to get ocicrypt to build against that, this might be required: https://github.com/containers/ocicrypt/pull/109 To avoid this for other packages, let's re-introduce .v3 for now and part packages currently using .v2 over to .v4, and where difficult, at least .v2 as interim step.
