Revendor to include fixed version of depending libraries

- GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
    golang.org/x/crypto to v0.43.0
  - GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
    github.com/go-viper/mapstructure/v2 to v2.4.0
  - GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
  - GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
    github.com/cloudflare/circl to v1.6.1
  - GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
    golang.org/x/crypto/ssh to v0.45.0
  - GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
    golang.org/x/crypto/ssh/agent to v0.45.0

.gitignore

@@ -2,11 +2,3 @@
 _scmsync.obsinfo
 build.specials.obscpio
 git-bug/
-.assets/
-_buildconfig-*
-_buildinfo-*.xml
-*.obscpio
-*.osc
-_build.*
-.pbuild
-git-bug-*-build/

.gitmodules

@@ -1,4 +0,0 @@
-[submodule "upstream"]
-	path = git-bug
-	url = https://github.com/openSUSE-Python/git-bug.git
-	branch = devel

_service

@@ -1,20 +1,23 @@
 <services>
-    <service name="obs_scm" mode="manual">
-        <param name="scm">git</param>
+    <!-- service name="tar_scm" mode="manual">
+        <param name="versionprefix">0.8.1+git</param>
+        <param name="revision">v0.8.1</param>
         <param name="url">https://github.com/git-bug/git-bug.git</param>
-        <param name="versionprefix">0.10.1+git</param>
-        <param name="revision">trunk</param>
+        <param name="scm">git</param>
         <param name="changesgenerate">enable</param>
         <param name="changesauthor">mcepl@cepl.eu</param>
     </service>
-    <service name="tar" mode="manual">
-    </service>
-    <service name="recompress" mode="manual">
+    <service name="tar" mode="buildtime"/>
+    <service name="recompress" mode="buildtime">
         <param name="file">*.tar</param>
-        <param name="compression">xz</param>
+        <param name="compression">gz</param>
     </service>
-    <service name="set_version" mode="manual"/>
+    <service name="set_version" mode="manual"/ -->
     <service name="go_modules" mode="manual">
-        <param name="compression">xz</param>
+      <param name="replace">golang.org/x/crypto=golang.org/x/crypto@v0.43.0</param>
+      <param name="replace">github.com/go-viper/mapstructure/v2=github.com/go-viper/mapstructure/v2@v2.4.0</param>
+      <param name="replace">github.com/cloudflare/circl=github.com/cloudflare/circl@v1.6.1</param>
+      <param name="replace">golang.org/x/crypto/ssh=golang.org/x/crypto/ssh@v0.45.0</param>
+      <param name="replace">golang.org/x/crypto/ssh/agent=golang.org/x/crypto/ssh/agent@v0.45.0</param>
     </service>
 </services>

_servicedata

@@ -3,4 +3,4 @@
                 <param name="url">https://github.com/MichaelMure/git-bug.git</param>
               <param name="changesrevision">d499b6e9d3333334614924669b74640a2d0b5485</param></service><service name="tar_scm">
                 <param name="url">https://github.com/git-bug/git-bug.git</param>
-              <param name="changesrevision">9427c459ab325d37653453b0c19529ed6b1af61a</param></service></servicedata>
+              <param name="changesrevision">96c7a111a3cb075b5ce485f709c3eb82da121a50</param></service></servicedata>

git-bug.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Nov 25 17:41:00 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Revendor to include fixed version of depending libraries:
+  - GO-2025-4116 (CVE-2025-47913, bsc#1253506) upgrade
+    golang.org/x/crypto to v0.43.0
+  - GO-2025-3900 (GHSA-2464-8j7c-4cjm) upgrade
+    github.com/go-viper/mapstructure/v2 to v2.4.0
+  - GO-2025-3787 (GHSA-fv92-fjc5-jj9h) included in the previous
+  - GO-2025-3754 (GHSA-2x5j-vhc8-9cwm) upgrade
+    github.com/cloudflare/circl to v1.6.1
+  - GO-2025-4134 (CVE-2025-58181, bsc#1253930) upgrade
+    golang.org/x/crypto/ssh to v0.45.0
+  - GO-2025-4135 (CVE-2025-47914, bsc#1254084) upgrade
+    golang.org/x/crypto/ssh/agent to v0.45.0
+
 -------------------------------------------------------------------
 Wed Oct 15 20:05:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
 

git-bug.obsinfo

@@ -1,4 +1,4 @@
 name: git-bug
-version: 0.10.1+git.1756577779.9427c459
-mtime: 1756577779
-commit: 9427c459ab325d37653453b0c19529ed6b1af61a
+version: 0.8.0+git.1742269202.0ab94c9
+mtime: 1742269202
+commit: 0ab94c9b7ac53ca9ab56febcf5cc3f26959e8b8a

git-bug.spec

@@ -17,21 +17,24 @@
 
 
 Name:           git-bug
-Version:        0.10.1+git.1756577779.9427c459
+Version:        0.10.1
 Release:        0
 Summary:        Distributed, offline-first bug tracker embedded in git, with bridges
 License:        MIT
 URL:            https://github.com/MichaelMure/git-bug
-#!CreateArchive: git-bug
-Source0:        %{name}-%{version}.tar.xz
-Source1:        vendor.tar.xz
-Patch0:         patch-go-mod.patch
-BuildRequires:  golang(API) = 1.23
+Source0:        https://github.com/MichaelMure/%{name}/archive/refs/tags/v%{version}.tar.gz#/git-bug-%{version}.tar.gz
+# Source0:        git-bug-%%{version}.tar.gz
+Source1:        vendor.tar.gz
+# PATCH-FIX-UPSTREAM remote-config.patch gh#MichaelMure/git-bug!1076 mcepl@suse.com
+# try reading git-bug.remote config value before defaulting to 'origin' when no explicit REMOTE argument
+Patch0:         remote-config.patch
+BuildRequires:  golang(API) = 1.24
 # # PATCH-FEATURE-UPSTREAM 501-export.patch gh#MichaelMure/git-bug!501 mcepl@suse.com
 # # add a command to export bugs as raw operations
 # Patch0:         501-export.patch
 BuildRequires:  golang-packaging
 BuildRequires:  git
+BuildRequires:  golang(API) = 1.22
 
 %description
 git-bug is a bug tracker that:
@@ -89,7 +92,12 @@ zsh shell completions for git-bug
 %autosetup -p1 -a1
 
 %build
-go build -v -mod=vendor -buildmode=pie
+# COMMANDS_PATH="github.com/git-bug/git-bug/commands"
+# LDFLAGS="-X ${COMMANDS_PATH}.GitCommit=${GIT_COMMIT} \
+# 	-X ${COMMANDS_PATH}.GitLastTag=${GIT_LAST_TAG} \
+# 	-X ${COMMANDS_PATH}.GitExactTag=${GIT_EXACT_TAG}"
+export GOFLAGS="-buildmode=pie"
+go build
 
 %install
 install -Dm755 git-bug %{buildroot}%{_bindir}/git-bug

patch-go-mod.patch

@@ -1,136 +0,0 @@
----
- go.mod |   20 +++++++++++---------
- go.sum |   40 ++++++++++++++++++++++------------------
- 2 files changed, 33 insertions(+), 27 deletions(-)
-
-Index: git-bug-0.10.1+git.1756577779.9427c459/go.mod
-===================================================================
---- git-bug-0.10.1+git.1756577779.9427c459.orig/go.mod	2025-08-30 20:16:19.000000000 +0200
-+++ git-bug-0.10.1+git.1756577779.9427c459/go.mod	2025-10-15 19:14:44.633398360 +0200
-@@ -31,13 +31,15 @@
- 	github.com/vbauerster/mpb/v8 v8.8.2
- 	github.com/vektah/gqlparser/v2 v2.5.26
- 	gitlab.com/gitlab-org/api/client-go v0.116.0
--	golang.org/x/crypto v0.37.0
-+	golang.org/x/crypto v0.42.0
- 	golang.org/x/oauth2 v0.27.0
--	golang.org/x/sync v0.13.0
--	golang.org/x/sys v0.32.0
--	golang.org/x/text v0.24.0
-+	golang.org/x/sync v0.17.0
-+	golang.org/x/sys v0.36.0
-+	golang.org/x/text v0.29.0
- )
- 
-+require golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect
-+
- require (
- 	dario.cat/mergo v1.0.1 // indirect
- 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
-@@ -109,12 +111,12 @@
- 	github.com/xanzy/ssh-agent v0.3.3 // indirect
- 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
- 	go.etcd.io/bbolt v1.4.0 // indirect
--	golang.org/x/mod v0.24.0
--	golang.org/x/net v0.39.0
--	golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4 // indirect
--	golang.org/x/term v0.31.0
-+	golang.org/x/mod v0.27.0
-+	golang.org/x/net v0.45.0
-+	golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488 // indirect
-+	golang.org/x/term v0.35.0
- 	golang.org/x/time v0.3.0 // indirect
--	golang.org/x/tools v0.32.0 // indirect
-+	golang.org/x/tools v0.36.0 // indirect
- 	golang.org/x/vuln v1.1.3
- 	google.golang.org/protobuf v1.36.6 // indirect
- 	gopkg.in/warnings.v0 v0.1.2 // indirect
-Index: git-bug-0.10.1+git.1756577779.9427c459/go.sum
-===================================================================
---- git-bug-0.10.1+git.1756577779.9427c459.orig/go.sum	2025-08-30 20:16:19.000000000 +0200
-+++ git-bug-0.10.1+git.1756577779.9427c459/go.sum	2025-10-15 19:14:44.633398360 +0200
-@@ -257,28 +257,28 @@
- golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
- golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
- golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
--golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
--golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
-+golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-+golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
- golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
- golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
- golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
- golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
--golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
--golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
-+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
- golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
- golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
- golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
- golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
- golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
--golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
--golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
-+golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
-+golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
- golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
- golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
- golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
- golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
- golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
--golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
--golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
- golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
- golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
- golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-@@ -291,33 +291,37 @@
- golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
- golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
- golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
--golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
--golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
--golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4 h1:ka7TMW0Mo8QYTXm2hXSQ9fFUXS7Zln3S4pe9aq4JC7w=
--golang.org/x/telemetry v0.0.0-20240723021908-ccdfb411a0c4/go.mod h1:amNmu/SBSm2GAF3X+9U2C0epLocdh+r5Z+7oMYO5cLM=
-+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-+golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488 h1:3doPGa+Gg4snce233aCWnbZVFsyFMo/dR40KK/6skyE=
-+golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488/go.mod h1:fGb/2+tgXXjhjHsTNdVEEMZNWA0quBnfrO+AfoDSAKw=
- golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
- golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
- golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
- golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
- golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
--golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
--golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
-+golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-+golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
- golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
- golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
- golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
- golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
- golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
- golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
--golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
--golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
-+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
- golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
- golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
- golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
- golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
- golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
- golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
--golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
--golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
-+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-+golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=
-+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
-+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
-+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
- golang.org/x/vuln v1.1.3 h1:NPGnvPOTgnjBc9HTaUx+nj+EaUYxl5SJOWqaDYGaFYw=
- golang.org/x/vuln v1.1.3/go.mod h1:7Le6Fadm5FOqE9C926BCD0g12NWyhg7cxV4BwcPFuNY=
- golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=