Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1287877

Bug#1125158: RFS: syft/1.42.3+ds-1 [ITP]

From Juan <juan.mendezr@proton.me>
Newsgroups linux.debian.bugs.dist
Subject Bug#1125158: RFS: syft/1.42.3+ds-1 [ITP]
Date 2026-03-30 12:40 +0200
Message-ID <MEich-bohl-11@gated-at.bofh.it> (permalink)
References <Mbwh3-9oUF-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

X-Debbugs-Cc: arturo@debian.org

Hi Maytham,

Thanks a lot for having a look in the package. I am resuming the work of having syft and grype in Debian.

Regarding vendored dependencies: I understand the concern and fully agree with the goal.

However, I'd like to make the case that an interim vendored upload could be appropriate here, consistent with Debian Policy and existing archive precedent.

- Debian Policy 4.13 states that packages "should not" use embedded copies and that dependencies "should be packaged separately as a prerequisite *if possible*" [1]. With 114 of 324 Go dependencies not yet in Debian (35%), full de-vendoring is not currently possible.

- There is precedent in the archive: docker.io, containerd, and prometheus are all accepted into the Debian archive with vendored Go dependencies. Each documents the rationale in debian/README.source, as I have done.

e.g.:
https://salsa.debian.org/lts-team/packages/docker.io/-/blob/debian/buster/debian/README.source

https://salsa.debian.org/go-team/packages/containerd/-/blob/debian/sid/debian/README.source

https://salsa.debian.org/go-team/packages/prometheus/-/tree/debian/sid/debian/vendor

- Progress since the initial RFS:
Since my January RFS, 6 more dependencies have been resolved: golang-github-cyclonedx-cyclonedx-go  golang-modernc-sqlite  golang-modernc-libc  golang-github-gkampitakis-go-snaps  golang-go.uber-atomic  golang-go.uber-multierr

The package is now at 210/324 packaged.

The packaging strategy and de-vendoring roadmap that I propose is documented in debian/README.source.

My intention is maintaining this within the Go Packaging Team afterwards.

I have updated the package to version 1.42.3+ds-1 on:
https://salsa.debian.org/mendezr/syft
https://mentors.debian.net/package/syft

dget -x https://mentors.debian.net/debian/pool/main/s/syft/syft_1.42.3+ds-1.dsc

Please, let me know your thoughts,

Cc: Arturo, who has also shown interest in sponsoring

Regards,
Juan Manuel Méndez Rey

Back to linux.debian.bugs.dist | Previous | NextNext in thread | Find similar | Unroll thread

Thread

Bug#1125158: RFS: syft/1.42.3+ds-1 [ITP] Juan <juan.mendezr@proton.me> - 2026-03-30 12:40 +0200
  Bug#1125158: RFS: syft/1.42.3+ds-1 [ITP] Arturo Borrero Gonzalez <arturo@debian.org> - 2026-03-30 21:50 +0200

csiph-web