All, For anyone wondering what is holding up 'cosign', here is the latest update and request for assistance. Latest code as usual here: https://salsa.debian.org/go-team/packages/cosign/ Real build pipelines churning here: https://salsa.debian.org/jas/cosign/-/pipelines Watch the debian/salsa-ci.yml for non-sid B-D's -- https://salsa.debian.org/go-team/packages/cosign/-/blob/debian/sid/debian/salsa-ci.yml -- currently we are waiting for NEW handling of these packages: golang-github-smallstep-crypto sigstore-go golang-github-withfig-autocomplete-tools Let's look at the latest build output: https://salsa.debian.org/jas/cosign/-/jobs/6622639 It fails due to these dependencies: cannot find package "github.com/sigstore/sigstore/pkg/tuf cannot find package "github.com/google/go-github/v55/github cannot find package "github.com/sigstore/sigstore/pkg/fulcioroots cannot find package "cuelang.org/go/cue/cuecontext cannot find package "cuelang.org/go/cue/load cannot find package "cuelang.org/go/encoding/json cannot find package "github.com/open-policy-agent/opa/rego Going through these: x) github.com/sigstore/sigstore/pkg/tuf - according to upstream, TUF support is deprecated so we dropped this part. However cosign still uses it. There are open github issues related to TUF, but help appreciated if anyone knows how to assist cosign upstream to drop the github.com/sigstore/sigstore/pkg/tuf dependency, assuming that is the right thing. x) github.com/google/go-github/v55/github - maybe just a package version upgrade? Help appreciated. x) github.com/sigstore/sigstore/pkg/fulcioroots - I haven't analyzed this at all. x) cuelang.org/go/ - seems like an entire eco-system on its own, can we patch this out of cosign? Could x) github.com/open-policy-agent/opa/rego - I have packaged this and it builds fine locally but seems to fail on Salsa: https://salsa.debian.org/jas/golang-github-open-policy-agent-opa/-/pipelines/765894 However this packaging doesn't look optimal, it is 1.5GB large and contains a lot of vendored stuff. Can we patch cosign to avoid OPA? /Simon
Attachment:
signature.asc
Description: PGP signature