Debian Package Tracker
Register | Log in
Subscribe

golang-github-go-git-go-billy-v6

missing interface filesystem abstraction for Go (library)

Choose email to subscribe with

general
  • source: golang-github-go-git-go-billy-v6 (main)
  • version: 6.0.0~alpha.1-2
  • maintainer: Daniel Baumann (DMD)
  • arch: all
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • testing: 6~git20260226.45bd095-2
  • unstable: 6.0.0~alpha.1-2
versioned links
  • 6~git20260226.45bd095-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 6.0.0~alpha.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • golang-github-go-git-go-billy-v6-dev
action needed
Marked for autoremoval on 15 August: #1141290 high
Version 6~git20260226.45bd095-2 of golang-github-go-git-go-billy-v6 is marked for autoremoval from testing on Sat 15 Aug 2026. It is affected by #1141290. The removal of golang-github-go-git-go-billy-v6 will also cause the removal of (transitive) reverse dependencies: git-pages, golang-github-go-git-go-git-fixtures-v5, golang-github-go-git-go-git-fixtures-v6, golang-github-go-git-go-git-v6. You should try to prevent the removal by fixing these RC bugs.
Created: 2026-07-09 Last update: 2026-07-10 06:02
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2026-44740: Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
  • CVE-2026-44973: Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.
Created: 2026-05-29 Last update: 2026-06-02 06:00
2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:
  • CVE-2026-44740: Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
  • CVE-2026-44973: Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0.
Created: 2026-05-29 Last update: 2026-06-02 06:00
The package has not entered testing even though the delay is over normal
The package has not entered testing even though the 5-day delay is over. Check why.
Created: 2026-06-06 Last update: 2026-07-10 06:01
3 new commits since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit 4e39c2462a77cac215012d5d2210185dd8fc6000
Author: Daniel Baumann <daniel@debian.org>
Date:   Thu Jun 25 07:17:39 2026 +0200

    Setting go compatibility in rules.
    
    Signed-off-by: Daniel Baumann <daniel@debian.org>

commit 71911a10f36f42f150988d3d049a3963e1a047b0
Author: Daniel Baumann <daniel@debian.org>
Date:   Wed Jun 10 17:22:50 2026 +0200

    Using references in copyright to refer to full license texts.
    
    Signed-off-by: Daniel Baumann <daniel@debian.org>

commit e27bd584fc1668f84b367001fbe0a8d33433bddf
Author: Daniel Baumann <daniel@debian.org>
Date:   Mon Jun 1 00:49:54 2026 +0200

    Adding watch file.
    
    Signed-off-by: Daniel Baumann <daniel@debian.org>
Created: 2026-06-01 Last update: 2026-07-09 21:02
testing migrations
  • excuses:
    • Migration status for golang-github-go-git-go-billy-v6 (6~git20260226.45bd095-2 to 6.0.0~alpha.1-2): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Autopkgtest for golang-github-go-git-go-billy-v6/6.0.0~alpha.1-2: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Autopkgtest for golang-github-go-git-go-git-fixtures-v5/5.1.1-2: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), armhf: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • ∙ ∙ Autopkgtest for golang-github-go-git-go-git-v6/6~git20260305.2083cf94-3: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), armhf: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • Additional info (not blocking):
    • ∙ ∙ Updating golang-github-go-git-go-billy-v6 will fix bugs in testing: #1141290
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/golang-github-go-git-go-billy-v6.html
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on arm64 - info
    • ∙ ∙ Reproduced on armhf - info
    • ∙ ∙ Reproduced on i386 - info
    • ∙ ∙ 39 days old (needed 5 days)
    • Not considered
news
[rss feed]
  • [2026-05-31] Accepted golang-github-go-git-go-billy-v6 6.0.0~alpha.1-2 (source) into unstable (Daniel Baumann)
  • [2026-05-31] Accepted golang-github-go-git-go-billy-v6 6.0.0~alpha.1-1 (source) into unstable (Daniel Baumann)
  • [2026-03-17] golang-github-go-git-go-billy-v6 6~git20260226.45bd095-2 MIGRATED to testing (Debian testing watch)
  • [2026-03-14] Accepted golang-github-go-git-go-billy-v6 6~git20260226.45bd095-2 (source) into unstable (Daniel Baumann)
  • [2026-03-11] Accepted golang-github-go-git-go-billy-v6 6~git20260226.45bd095-1 (source all) into unstable (Debian FTP Masters) (signed by: Daniel Baumann)
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 6.0.0~alpha.1-2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing