Progress update: I've tried to reach out to minio/pkg upstream and ask them to bump to go-jwx v2: https://github.com/minio/pkg/pull/139 Upstream lestrrat-go/jwx commented on minio/pkg here: https://github.com/lestrrat-go/jwx/issues/1239#issuecomment-2495080886 Let's wait some time and see if they address it, otherwise I think the golang-github-lestrrat-go-jwx-v2 path is unavoidable. /Simon Simon Josefsson <simon@josefsson.org> writes: > Hi > > The golang-github-lestrrat-go-jwx package contains the v1 branch, which > upstream says is archived: > > https://github.com/lestrrat-go/jwx/tree/v1?tab=readme-ov-file#users-of-githubcomlestrratgo-jwx > > The v2 and v3 branches seems recommended. > > I'm considering packaging buildkit (an avoidable dependency of cosign) > which depends on buildkite-go-pipeline that uses the v2 branch of > lestrrat-go-jwx. > > I tried upgrading golang-github-lestrrat-go-jwx to v2 but then the > single reverse dependency golang-github-minio-pkg isn't happy: > > https://salsa.debian.org/jas/golang-github-lestrrat-go-jwx/-/jobs/6622218 > > dpkg-checkbuilddeps: error: Unmet build dependencies: golang-github-lestrrat-go-jwx-dev (<< 2.0) > > Alas upstream seems to have disabled bug reporting: > https://github.com/minio/pkg > > Is there any way out of this except adding > golang-github-lestrrat-go-jwx-v2 that provide the v2 branch? > > Could we get minio/pkg to use the v2 branch, and update > golang-github-lestrrat-go-jwx to v2? > > I'm going down the golang-github-lestrrat-go-jwx-v2 route now, but > wanted to bring this up before filing ITP and doing the NEW upload. > > /Simon >
Attachment:
signature.asc
Description: PGP signature