Hi
I want to get Sigstore's rekor <https://github.com/sigstore/rekor> into
Debian so that <https://gitlab.com/debdistutils/apt-sigstore> can be
included. I'm new to Go and how Debian approaches Go code, but have
made some progress. I'm now stuck. This e-mail summarize the open
issues. Can someone take a look and help me? If you want, feel free to
push to any of the git repositories below with improvements.
My rekor packaging lives here, including its pipeline:
https://salsa.debian.org/jas/golang-github-sigstore-rekor/
https://salsa.debian.org/jas/golang-github-sigstore-rekor/-/pipelines
It is a fork of an earlier unfinished attempt that lives here, I hope to
merge back things once they work:
https://salsa.debian.org/go-team/packages/golang-github-sigstore-rekor
Latest build attempt of rekor:
https://salsa.debian.org/jas/golang-github-sigstore-rekor/-/jobs/5162176
It raises errors about the following dependencies:
github.com/sassoftware/relic
github.com/in-toto/in-toto-golang
sigs.k8s.io/release-utils
github.com/google/trillian
github.com/sigstore/sigstore
google.golang.org/grpc
Let's go through them one-by-one.
GITHUB.COM/SASSOFTWARE/RELIC
Packaging is here:
https://salsa.debian.org/go-team/packages/relic
Latest build output:
https://salsa.debian.org/jas/relic/-/jobs/5162602
Fails like this:
# github.com/sassoftware/relic/cmdline/remotecmd
src/github.com/sassoftware/relic/cmdline/remotecmd/azure.go:65:20: cannot use &dvCache{…} (value of type *dvCache) as cache.ExportReplace value in argument to public.WithCache: *dvCache does not implement cache.ExportReplace (wrong type for method Export)
have Export(cache.Marshaler, string)
want Export(context.Context, cache.Marshaler, cache.ExportHints) error
src/github.com/sassoftware/relic/cmdline/remotecmd/azure.go:79:12: not enough arguments in call to s.cli.Accounts
have ()
want (context.Context)
src/github.com/sassoftware/relic/cmdline/remotecmd/azure.go:79:12: assignment mismatch: 1 variable but s.cli.Accounts returns 2 values
The reason seems to be that our
golang-github-azuread-microsoft-authentication-library-for-go-dev is too
new. Should we package an older version?
I have opened an upstream bug about this requesting them to use a newer
dependency:
https://github.com/sassoftware/relic/issues/39
Looking at the API changes, I think this could be patched easily by
somehow who knows Go. Is that the right approach? Patches welcome.
GITHUB.COM/IN-TOTO/IN-TOTO-GOLANG
Packaging is here:
https://salsa.debian.org/go-team/packages/in-toto-golang
Latest build output:
https://salsa.debian.org/jas/in-toto-golang/-/jobs/5162631
src/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/bundle.go:10:2:
cannot find package "github.com/go-jose/go-jose/v3" in any of:
src/github.com/spiffe/go-spiffe/v2/svid/jwtsvid/svid.go:8:2:
cannot find package "github.com/go-jose/go-jose/v3/jwt" in any of:
src/github.com/spiffe/go-spiffe/v2/workloadapi/client.go:20:2:
cannot find package "google.golang.org/grpc/credentials/insecure" in any of:
We depend on golang-github-go-jose-go-jose-dev which provides v3.0.1 --
https://tracker.debian.org/pkg/golang-github-go-jose-go-jose -- why
isn't it picked up?
The google.golang.org/grpc dependency is probably too old, needs to be
fixed here and already discussed on the mailing list fairly recently:
https://tracker.debian.org/pkg/golang-google-grpc
SIGS.K8S.IO/RELEASE-UTILS
Packaging is here:
https://salsa.debian.org/go-team/packages/golang-k8s-sigs-release-utils
Latest build output:
https://salsa.debian.org/jas/golang-k8s-sigs-release-utils/-/jobs/5162686
There is discussion about this one here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060840
Can we avoid this dependency by patch rekor? That would be nice since
it seems like a problematic package. It needs
github.com/uwu-tools/magex and github.com/common-nighthawk/go-figure
that are not packaged.
GITHUB.COM/GOOGLE/TRILLIAN
Packaging is here:
https://salsa.debian.org/go-team/packages/trillian/
Latest build output:
https://salsa.debian.org/jas/trillian/-/jobs/5162705
Dependency problems:
google.golang.org/grpc/credentials/insecure
go.etcd.io/etcd/client/v3
contrib.go.opencensus.io/exporter/stackdriver
github.com/cockroachdb/cockroach-go
github.com/apache/beam
go.etcd.io/etcd/server
The grpc is already mentioned.
The etcd I don't understand, the package depends on
golang-etcd-server-dev that despite its name appears to include the
client. Why isn't it picked up?
Same regarding contrib.go.opencensus.io/exporter/stackdriver, we depend
on golang-go.opencensus-dev that seems to have it.
Finally github.com/apache/beam seems like a huge project, I haven't
started looking at it. Can it be avoided somehow?
GITHUB.COM/SIGSTORE/SIGSTORE
Packaging is here:
https://salsa.debian.org/go-team/packages/golang-github-sigstore-sigstore
I believe it may be as simple as upgrading it to the latest version:
https://tracker.debian.org/pkg/golang-github-sigstore-sigstore
I haven't looked into that yet since I haven't worked out a method to
rebuild all reverse dependencies for a package.
GOOGLE.GOLANG.ORG/GRPC
Already discussed earlier under in-toto-golang.
/Simon
Attachment:
signature.asc
Description: PGP signature