© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I believe that is what happened to some extend, but it certainly wasn't our goal. Our goal is to (be able to) uphold our commitment to the security team to keep our dependencies up-to-date, and there are no stable branches to pick from (often not even tags) nor do we want to fork hundreds of repos and add redirects to go.mod so that we can use them, so that means we need to regularly update to the latest upstream git branches.
We did not pick the latest versions for all the measurement code, but just the bare minimum to get it working. The dependabot bot did some updates of the golang.org utility libraries and the test suite helper, but those do not have stable branches, so we ultimately have no choice but to keep them updated when the bot tells us to.
From a SRU perspective this should be straightforward:
- Changes to the vendor/ directory are automatic and should be ignored, it is just an expansion of go.mod
- Check that go.mod contains the same (or newer) versions of the dependencies as snapd to ensure we don't miss security fixes.