Hi
I want to get Sigstore's rekor <https://github.com/sigstore/rekor> into
Debian so that <https://gitlab.com/debdistutils/apt-sigstore> can be
included. I'm new to Go and how Debian approaches Go code, but have
made some progress. I'm now stuck. This e-mail summarize the open
issues. Can someone take a look and help me? If you want, feel free to
push to any of the git repositories below with improvements.
My rekor packaging lives here, including its pipeline:
https://salsa.debian.org/jas/golang-github-sigstore-rekor/
https://salsa.debian.org/jas/golang-github-sigstore-rekor/-/pipelines
It is a fork of an earlier unfinished attempt that lives here, I hope to
merge back things once they work:
https://salsa.debian.org/go-team/packages/golang-github-sigstore-rekor
Latest build attempt of rekor:
https://salsa.debian.org/jas/golang-github-sigstore-rekor/-/jobs/5162176
It raises errors about the following dependencies:
github.com/sassoftware/relic
github.com/in-toto/in-toto-golang
sigs.k8s.io/release-utils
github.com/google/trillian
github.com/sigstore/sigstore
google.golang.org/grpc
Let's go through them one-by-one.
GITHUB.COM/SASSOFTWARE/RELIC
Packaging is here:
https://salsa.debian.org/go-team/packages/relic
Latest build output:
https://salsa.debian.org/jas/relic/-/jobs/5162602
Fails like this:
# github.com/sassoftware/relic/cmdline/remotecmd
src/github.com/sassoftware/relic/cmdline/remotecmd/azure.go:65:20: cannot use &dvCache{…} (value of type *dvCache) as cache.ExportReplace value in argument to public.WithCache: *dvCache does not implement cache.ExportReplace (wrong type for method Export)
have Export(cache.Marshaler, string)
want Export(context.Context, cache.Marshaler, cache.ExportHints) error
src/github.com/sassoftware/relic/cmdline/remotecmd/azure.go:79:12: not enough arguments in call to s.cli.Accounts
have ()
want (context.Context)
src/github.com/sassoftware/relic/cmdline/remotecmd/azure.go:79:12: assignment mismatch: 1 variable but s.cli.Accounts returns 2 values
The reason seems to be that our
golang-github-azuread-microsoft-authentication-library-for-go-dev is too
new. Should we package an older version?
I have opened an upstream bug about this requesting them to use a newer
dependency:
https://github.com/sassoftware/relic/issues/39
Looking at the API changes, I think this could be patched easily by
somehow who knows Go. Is that the right approach? Patches welcome.
It's not so straightforward because azure bumped its API and did breaking changes.
I had the same problem in python recently.
GITHUB.COM/IN-TOTO/IN-TOTO-GOLANG
Packaging is here:
https://salsa.debian.org/go-team/packages/in-toto-golang
Latest build output:
https://salsa.debian.org/jas/in-toto-golang/-/jobs/5162631
src/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/bundle.go:10:2:
cannot find package "github.com/go-jose/go-jose/v3" in any of:
src/github.com/spiffe/go-spiffe/v2/svid/jwtsvid/svid.go:8:2:
cannot find package "github.com/go-jose/go-jose/v3/jwt" in any of:
src/github.com/spiffe/go-spiffe/v2/workloadapi/client.go:20:2:
cannot find package "google.golang.org/grpc/credentials/insecure" in any of:
We depend on golang-github-go-jose-go-jose-dev which provides v3.0.1 --
https://tracker.debian.org/pkg/golang-github-go-jose-go-jose -- why
isn't it picked up?
The google.golang.org/grpc dependency is probably too old, needs to be
fixed here and already discussed on the mailing list fairly recently:
https://tracker.debian.org/pkg/golang-google-grpc
SIGS.K8S.IO/RELEASE-UTILS
Packaging is here:
https://salsa.debian.org/go-team/packages/golang-k8s-sigs-release-utils
Latest build output:
https://salsa.debian.org/jas/golang-k8s-sigs-release-utils/-/jobs/5162686
There is discussion about this one here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060840
Can we avoid this dependency by patch rekor? That would be nice since
it seems like a problematic package. It needs
github.com/uwu-tools/magex and github.com/common-nighthawk/go-figure
that are not packaged.
Yes, you should be able to get rid of it.
This is an example of how to inject the version, it might work well with DEB_UPSTREAM_VERSION
GITHUB.COM/GOOGLE/TRILLIAN
Packaging is here:
https://salsa.debian.org/go-team/packages/trillian/
Latest build output:
https://salsa.debian.org/jas/trillian/-/jobs/5162705
Dependency problems:
google.golang.org/grpc/credentials/insecure
go.etcd.io/etcd/client/v3
contrib.go.opencensus.io/exporter/stackdriver
github.com/cockroachdb/cockroach-go
github.com/apache/beam
go.etcd.io/etcd/server
The grpc is already mentioned.
The etcd I don't understand, the package depends on
golang-etcd-server-dev that despite its name appears to include the
client. Why isn't it picked up?
Probably a version discrepancy.
Check
/usr/lib/go-1.21/src/
go.etcd.io/etcd/server/v3/embedIn general you need to check each missing paths for clues.
It's cumbersome, but usually fixable. Golang is not as bad as it seems :)