Re: RFS: golang-github-go-git-go-git [RC] & dependencies

To: Simon Josefsson <simon@josefsson.org>
Cc: debian-go@lists.debian.org
Subject: Re: RFS: golang-github-go-git-go-git [RC] & dependencies
From: Maytham Alsudany <maytha8thedev@gmail.com>
Date: Sat, 30 Mar 2024 18:59:16 +0800
Message-id: <[🔎] 38bafb348ec7ddceaec332d6efde66c9f060e87d.camel@gmail.com>
In-reply-to: <[🔎] 87zfugumv3.fsf@kaka.sjd.se>
References: <[🔎] ec726796e0157ebb6e93590eff3750d30324f6a2.camel@gmail.com> <87cyrfvgjd.fsf@kaka.sjd.se> <[🔎] 49f56352a47092d623e14e98030c50223906f162.camel@gmail.com> <[🔎] 87zfugumv3.fsf@kaka.sjd.se>

Hi Simon,

On Sat, 2024-03-30 at 09:48 +0100, Simon Josefsson wrote:
> Maytham Alsudany <maytha8thedev@gmail.com> writes:
> 
> > https://salsa.debian.org/go-team/packages/golang-github-go-git-go-git-fixtures
> 
> I looked at this update, and one of the proposed changes is to include
> all of the pre-generated stuff from here:

Previous versions of the package also include this test data.

> https://github.com/go-git/go-git-fixtures/tree/master/data
> 
> directly into the installed Debian package.  Given the recent xz fiasco,
> I have doubts that this is a good idea -- there is a bunch of
> pre-generated compressed git repositories in that directory, and I don't
> see any way to re-create them from scratch.  They seem to have been
> manually curated by some developer in the past and then compressed and
> uploaded, somewhat similar to how the xz problem happened.

They can be decoded though to reveal the source; each tgz archive contains a
bare git repo, which can be converted into a normal git repo using the method
outlined at [1].

We can regenerate them manually, but it will take a bit of time to do so. What
I'm thinking is decompressing each repo archive, and converting the commits
into a series of patches, accompanied by a shell script or something that can
turn the patches into a Git repo with the correct branches, tags, etc.

Alternatively (in the long-term), we can drop the whole fixtures package as you
suggested, and rewrite the tests in go-git so that Git is used to generate the
test repos in the first place (using a Makefile or 'go generate').

> Dropping these files may mean we don't test as much of go-git that is
> possible to test, but the alternative that we create a vector to inject
> binaries with no source code into Debian seems worse.
> 
> Could you modify this package to drop any files that we cannot re-create
> during the build?  Maybe the entire package becomes useless, if so, then
> we should just remove it IMHO.

RM bug filed.

> Of course, I only did a cursory review, so I may have misunderstood how
> this project works and the relevance of these files.

AFAIK, you're right; the only purpose for these files is for tests in go-git.
Removing them isn't going to impact the functionality of go-git.

Kind regards,
Maytham

[1]: https://stackoverflow.com/a/10637882

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: RFS: golang-github-go-git-go-git [RC] & dependencies
  - From: Simon Josefsson <simon@josefsson.org>
- Re: RFS: golang-github-go-git-go-git [RC] & dependencies
  - From: Nilesh Patra <nilesh@debian.org>

References:
- RFS: golang-github-go-git-go-git [RC] & dependencies
  - From: Maytham Alsudany <maytha8thedev@gmail.com>
- Re: RFS: golang-github-go-git-go-git [RC] & dependencies
  - From: Maytham Alsudany <maytha8thedev@gmail.com>
- Re: RFS: golang-github-go-git-go-git [RC] & dependencies
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: RFS: golang-github-go-git-go-git [RC] & dependencies
Next by Date: Re: RFS: golang-github-go-git-go-git [RC] & dependencies
Previous by thread: Re: RFS: golang-github-go-git-go-git [RC] & dependencies
Next by thread: Re: RFS: golang-github-go-git-go-git [RC] & dependencies
Index(es):
- Date
- Thread