Re: Sigstore rekor current status and request for help

To: Simon Josefsson <simon@josefsson.org>
Cc: debian-go@lists.debian.org
Subject: Re: Sigstore rekor current status and request for help
From: Nilesh Patra <nilesh@debian.org>
Date: Tue, 16 Jan 2024 09:14:22 +0530
Message-id: <[🔎] 20240116034422.o4dgzosgvwzeo3oq@office.mailbox.org>
In-reply-to: <[🔎] 87zfx6gxoa.fsf@kaka.sjd.se>
References: <[🔎] 87zfx6gxoa.fsf@kaka.sjd.se>

On Mon, Jan 15, 2024 at 09:16:05PM +0100, Simon Josefsson wrote:
> GITHUB.COM/IN-TOTO/IN-TOTO-GOLANG
> 
> Packaging is here:
> https://salsa.debian.org/go-team/packages/in-toto-golang
> 
> Latest build output:
> https://salsa.debian.org/jas/in-toto-golang/-/jobs/5162631
> ...
> We depend on golang-github-go-jose-go-jose-dev which provides v3.0.1 --
> https://tracker.debian.org/pkg/golang-github-go-jose-go-jose -- why
> isn't it picked up?

Seems symlinking go.mod does not work in spiffe. I've pushed a fix to salsa.

> GITHUB.COM/GOOGLE/TRILLIAN
> 
> Packaging is here:
> https://salsa.debian.org/go-team/packages/trillian/
> 
> Latest build output:
> https://salsa.debian.org/jas/trillian/-/jobs/5162705
> ...
> The etcd I don't understand, the package depends on
> golang-etcd-server-dev that despite its name appears to include the
> client.  Why isn't it picked up?

What is exactly not being picked up is go.etcd.io/etcd/client/v3/concurrency
notice "concurrency". This is because the said directory is not present
in the package.

$ apt-file list golang-etcd-server-dev | grep concurrency
golang-etcd-server-dev: /usr/share/gocode/src/go.etcd.io/etcd/clientv3/concurrency/doc.go
golang-etcd-server-dev: /usr/share/gocode/src/go.etcd.io/etcd/clientv3/concurrency/election.go

> Same regarding contrib.go.opencensus.io/exporter/stackdriver, we depend
> on golang-go.opencensus-dev that seems to have it.

It can't precisely find "contrib.go.opencensus.io/exporter/stackdriver" notice "contrib".
The debian package has gopath and package name go.opencensus.io

$ apt-file list golang-go.opencensus-dev | grep stack
golang-go.opencensus-dev: /usr/share/gocode/src/go.opencensus.io/exporter/stackdriver/propagation/http.go
golang-go.opencensus-dev: /usr/share/gocode/src/go.opencensus.io/exporter/stackdriver/propagation/http_test.go

You're likely running into versioning differences w/ this and etcd both.

> Finally github.com/apache/beam seems like a huge project, I haven't
> started looking at it.  Can it be avoided somehow?
> 
> GITHUB.COM/SIGSTORE/SIGSTORE
> 
> Packaging is here:
> https://salsa.debian.org/go-team/packages/golang-github-sigstore-sigstore
> 
> I believe it may be as simple as upgrading it to the latest version:
> 
> https://tracker.debian.org/pkg/golang-github-sigstore-sigstore
> 
> I haven't looked into that yet since I haven't worked out a method to
> rebuild all reverse dependencies for a package.

You can use one of these:

https://tracker.debian.org/pkg/ratt
https://salsa.debian.org/ruby-team/meta
 
If you're subscribed to the list, can I stop CC'ing you?

Best,
Nilesh

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Sigstore rekor current status and request for help
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: RFS: golang-github-go-webauthn-webauthn
Next by Date: Re: Sigstore rekor current status and request for help
Previous by thread: Re: Sigstore rekor current status and request for help
Next by thread: Re: Sigstore rekor current status and request for help
Index(es):
- Date
- Thread