[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-github-lestrrat-go-jwx



Progress update: I've tried to reach out to minio/pkg upstream and ask
them to bump to go-jwx v2:

https://github.com/minio/pkg/pull/139

Upstream lestrrat-go/jwx commented on minio/pkg here:

https://github.com/lestrrat-go/jwx/issues/1239#issuecomment-2495080886

Let's wait some time and see if they address it, otherwise I think the
golang-github-lestrrat-go-jwx-v2 path is unavoidable.

/Simon

Simon Josefsson <simon@josefsson.org> writes:

> Hi
>
> The golang-github-lestrrat-go-jwx package contains the v1 branch, which
> upstream says is archived:
>
> https://github.com/lestrrat-go/jwx/tree/v1?tab=readme-ov-file#users-of-githubcomlestrratgo-jwx
>
> The v2 and v3 branches seems recommended.
>
> I'm considering packaging buildkit (an avoidable dependency of cosign)
> which depends on buildkite-go-pipeline that uses the v2 branch of
> lestrrat-go-jwx.
>
> I tried upgrading golang-github-lestrrat-go-jwx to v2 but then the
> single reverse dependency golang-github-minio-pkg isn't happy:
>
> https://salsa.debian.org/jas/golang-github-lestrrat-go-jwx/-/jobs/6622218
>
> dpkg-checkbuilddeps: error: Unmet build dependencies: golang-github-lestrrat-go-jwx-dev (<< 2.0)
>
> Alas upstream seems to have disabled bug reporting:
> https://github.com/minio/pkg
>
> Is there any way out of this except adding
> golang-github-lestrrat-go-jwx-v2 that provide the v2 branch?
>
> Could we get minio/pkg to use the v2 branch, and update
> golang-github-lestrrat-go-jwx to v2?
>
> I'm going down the golang-github-lestrrat-go-jwx-v2 route now, but
> wanted to bring this up before filing ITP and doing the NEW upload.
>
> /Simon
>

Attachment: signature.asc
Description: PGP signature


Reply to: