[MIR] golang-golang-x-oauth2
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| golang-golang-x-oauth2 (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
Bug Description
[Availability]
Source-only package currently available in universe.
[Rationale]
Build-dependency for juju. This is part of our on-going work for bug 1508120, to stop bundling our dependencies in our source package.
[Security]
This is a source package which will only be used by other Go projects that build-depend on it.
Standard practices in the Go ecosystem unfortunately is not to do any release/tag, nor publish changelogs, bugfix announcements or other advisory information.
Most of those projects will therefore have a 0.0+git-hash kind of version scheme for their packaged form.
Update to those will typically be a completely new snapshot and refresh of their downstreams to match or be a one-off cherry-pick after a specific issue is reported.
[Quality assurance]
Source-only, arch:all package.
There are currently no bug reports filed against this source package.
The package is either maintained in Debian or maintained by its upstream directly in Ubuntu.
Most of those packages do not have a debian/watch file due to their upstream never pushing out versioned releases.
[Dependencies]
We are only interested in the -dev source-only package. None of those have build-dependencies due to being source-only.
[Maintenance]
This package already has a maintainer, and exists in the archive already. As with the other juju packages, the ubuntu-server team will provide ownership. However, the Juju QA team has also been subscribed to all bug mails for this package, and all others which we are requesting promotion into main as part of of work on bug 1508120 in order to ensure a smooth transition.
[Background information]
These MIRs are being filed in support of the ongoing work on bug 1508120, at the behest of the Security team, and the FFe for juju-core's inclusion in main for xenial, bug 1545913.
Note, the juju package will continue to bundle this dependency for trusty and older release, due to lack of go support and resources to backport and maintain these dependencies in trusty. However, these dependencies are used for all new builds, and have priority whenever present. This is in-line with the security team's recommendations and agreement as part of bug 1508120.
| description: | updated |
| Michael Terry (mterry) wrote | #1 |
| Changed in golang-golang-x-oauth2 (Ubuntu): | |
| status: | New → Incomplete |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in golang-golang-x-oauth2 (Ubuntu): | |
| status: | Incomplete → Expired |
| Changed in golang-golang-x-oauth2 (Ubuntu): | |
| status: | Expired → Incomplete |
| Changed in golang-golang-x-oauth2 (Ubuntu): | |
| status: | Incomplete → Expired |
- Should subscribe ubuntu-server to bugs.
- Honest question, I'm not super familiar with the Go landscape: is this the leading / only oauth2 library? Does core not have one? I don't think there's another one we've promoted to main, but my memory might be failing me here. I just want to make sure we don't end up supporting two in main.
- This depends on some Google API packages, which would normally be covered by golang-google-api, but I'm guessing they are not in that package, to avoid a circular dependency chain? Regardless, if we keep them separate, we need MIRs for golang-