Bug 31843

Summary: Go-Azure: package does not provide all includes
Product: Mageia Reporter: Marc Krämer <mageia>
Component: RPM PackagesAssignee: Guillaume Rousse <guillomovitch>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: golang-github-azure-sdk-55.0.0-7.mga9.src.rpm CVE:
Status comment:

Description Marc Krämer 2023-04-26 15:18:35 CEST 
the package is big and has many functions implemented, but only a few are exported.
Since newer packages require this package to provide all the functions, it would be usefull to have this package correct.

If I'm correct, there was a problem with urpmi which has problems with a large list - but anyway, we have to find a solution for it. Atm I can't provide the restic update.
Comment 1 Guillaume Rousse 2023-04-26 18:37:08 CEST 
The problems comes from usage of fixed-size buffer in perl-URPM, truncating list of virtual packages:
https://gitweb.mageia.org/software/rpm/perl-URPM/commit/?id=950d56e991d307b9b60bde8f51920bee3d1bc61c

And here is the related discussion on the mailing list:
https://ml.mageia.org/l/arc/dev/2022-12/msg00241.html
Comment 2 Marc Krämer 2023-04-26 19:08:06 CEST 
I remember that discussion. I'm not following the development of urpm. Is this fixed? Or is our plan, to add another provides to azure each time a package needs it?

Or can we just split up the azure package into subpackages?
Comment 3 Marc Krämer 2023-04-29 10:44:00 CEST 
In order to update restic (to adress CVE-2022-41723), I need a few more subpackes from azure. Can you please provide:

github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/bloberror
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blockblob
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container


It looks like go makes VERY much use of modules and package managers. Every update of a package has new requirements. I'm not sure how we are going to handle this in future...
Comment 4 Marc Krämer 2023-04-29 10:53:52 CEST 
and every build needs different versions...
Comment 5 Guillaume Rousse 2023-04-29 14:18:59 CEST 
Those components are not present in current package version, an update to a new version is needed first. And this update requires quite a lot of additional packages not present in the distribution...
Comment 6 Guillaume Rousse 2023-04-30 12:00:01 CEST 
Those dependencies are actually shipped by golang-github-azure-storage-blob-devel. I still don't understand why they are not advertised through dependencies, through.
Comment 7 Marc Krämer 2023-04-30 12:37:14 CEST 
I've asked the question about packaging go-packages on dev list.

Stig suggested, to pack all dependend subpackages as a vendor.gz and add it to the package itself. Just adding and managing a whole bunch of go-subpackages does not help much. And fixing security issues requires to rebuild all packages using it. IÄm not sure what the best sulotion is, but either has its drawbacks.