Simon Josefsson <simon@josefsson.org> writes: > x) github.com/sigstore/sigstore/pkg/tuf - according to upstream, TUF > support is deprecated so we dropped this part. However cosign still > uses it. There are open github issues related to TUF, but help > appreciated if anyone knows how to assist cosign upstream to drop the > github.com/sigstore/sigstore/pkg/tuf dependency, assuming that is the > right thing. I've tried to analyze the cosign relationship to TUF v0, and found this issue: https://github.com/sigstore/cosign/issues/3548 If I understand correctly, cosign v2.x will continue to depend on TUF v0 for quite some time, even when the TUF v2 support is added. This is still needed even though github.com/sigstore/sigstore-go and github.com/sigstore/sigstore are using TUF v2. Alas, maybe the transition from v0 to v2 was premature here: https://tracker.debian.org/pkg/golang-github-theupdateframework-go-tuf OTOH, we have other packages that depend on v2, such as upcoming github.com/sigstore/sigstore-go which is also a cosign dependency. So it seems there is no simple way around having BOTH v0 and v2 if we want to get current cosign into Debian. I'll experiment with creating a golang-github-theupdateframework-go-tuf-v0 source package. > x) github.com/google/go-github/v55/github - maybe just a package version > upgrade? Help appreciated. This was easy to fix: https://salsa.debian.org/go-team/packages/cosign/-/commit/dbe3954b01e5e8085e66ef45d12f1e4da10965b6 /Simon
Attachment:
signature.asc
Description: PGP signature