Shengjing Zhu writes: > On Tue, Jan 16, 2024 at 4:16 AM Simon Josefsson <simon-RTwAkxXyIg7PknubsQK+Mg@public.gmane.orgg> wrote: >> >> Hi >> >> I want to get Sigstore's rekor <https://github.com/sigstore/rekor> into >> Debian so that <https://gitlab.com/debdistutils/apt-sigstore> can be >> included. I'm new to Go and how Debian approaches Go code, but have >> made some progress. I'm now stuck. This e-mail summarize the open >> issues. Can someone take a look and help me? If you want, feel free to >> push to any of the git repositories below with improvements. >> > > As you want to package rekor to support apt-sigstore, I would suggest > you to only package rekor-cli, the client part of rekor. > The rekor repository contains both server and client implementations. > This will cut down lots of dependencies. The server part not only > brings more library dependencies, but also more maintenance burden, > like how to setup, how to support version upgrade between Debian > releases. Thank you! This was one of the senior advice I was looking for, and was initially excited that this would reduce the number of dependencies. After some reading I found this setting: export DH_GOLANG_BUILDPKG="github.com/sigstore/rekor/cmd/rekor-cli" However it does not lead to any reduction of dependencies. We still need the following in Debian (or modify rekor to not use them): github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer github.com/sassoftware/relic/lib/pkcs7 github.com/google/trillian github.com/google/trillian/types github.com/in-toto/in-toto-golang/in_toto github.com/sassoftware/relic/lib/signjar github.com/sassoftware/relic/lib/pkcs9 github.com/cavaliercoder/go-rpm sigs.k8s.io/release-utils/version /Simon
Attachment:
signature.asc
Description: PGP signature