Re: golang-github-lestrrat-go-jwx

To: Mathias Gibbens <gibmat@debian.org>
Cc: debian-go@lists.debian.org
Subject: Re: golang-github-lestrrat-go-jwx
From: Simon Josefsson <simon@josefsson.org>
Date: Fri, 29 Nov 2024 12:05:44 +0100
Message-id: <[🔎] 87jzcmwb93.fsf@kaka.sjd.se>
In-reply-to: <[🔎] c17119780935f766475272b8936c2596e728bc62.camel@debian.org> (Mathias Gibbens's message of "Thu, 28 Nov 2024 22:43:15 +0000")
References: <[🔎] 87a5ds2x68.fsf@kaka.sjd.se> <[🔎] 87plmk7qdc.fsf@kaka.sjd.se> <[🔎] c17119780935f766475272b8936c2596e728bc62.camel@debian.org>

Thanks!  Alas minio-pkg doesn't build with go-jwx v2:

# github.com/minio/pkg/licverifier
src/github.com/minio/pkg/licverifier/verifier.go:105:18: undefined: jwk.New
src/github.com/minio/pkg/licverifier/verifier.go:111:9: keyset.Add undefined (type jwk.Set has no field or method Add)
src/github.com/minio/pkg/licverifier/verifier.go:179:59: undefined: jwt.UseDefaultKey
# github.com/minio/pkg/env
src/github.com/minio/pkg/env/web_env.go:103:19: undefined: jwk.New
src/github.com/minio/pkg/env/web_env.go:122:33: cannot use jwa.HS512 (constant "HS512" of type jwa.SignatureAlgorithm) as jwt.SignOption value in argument to jwt.Sign: jwa.SignatureAlgorithm does not implement jwt.SignOption (missing method Ident)
go.etcd.io/etcd/api/etcdserverpb

The only reverse dependency is golang-github-minio-colorjson, and that
package happens to build with minio-pkg without pkg/licverifier and
pkg/env/web_env... so we can simply patch away the dependency on go-jwx
in minio-pkg.  Thoughts?  I think this is an acceptable path forward.

I have opened an upstream pull request to update it to v2 but no
response:

https://github.com/minio/pkg/pull/139

I agree having two versions is bad, but I'm not sure how to resolve this
generally unless upstream co-operate and there seems to be some general
impedance mismatch between Debian's requirements and what most Go
upstreams care about.

One variant I'm exploring for TUF is to have the TUF *-dev package
include both v0 and v2 branches, maybe the same could be done for
lestrrat-go-jwx.

I prefer going down the path to patch away the dependency on go-jwx in
minio/pkg.  Any objection?

/Simon

Mathias Gibbens <gibmat@debian.org> writes:

>   Yes, I remember I had initially filed the ITP for v2 of golang-
> github-lestrrat-go-jwx, but since golang-github-minio-pkg wanted v1 I
> went with the path of least resistance. :)
>
>   I'm personally of the option that you should just bump the existing
> packaging of golang-github-lestrrat-go-jwx to v2 without introducing an
> entirely new package. Since the changes to minio-pkg don't seem to
> include any actual code modifications, if its tests continue to pass
> with v2 let's just go with that. (Although as I type that, I don't
> remember if maybe I _had_ encountered some build/test error with v2,
> thus necessitating the packaging of v1....) I think that would be
> better in the long term versus having two different major versions of
> golang-github-lestrrat-go-jwx in the archive.
>
> Mathias
>
> On Sun, 2024-11-24 at 13:44 +0100, Simon Josefsson wrote:
>> Progress update: I've tried to reach out to minio/pkg upstream and
>> ask them to bump to go-jwx v2:
>> 
>> https://github.com/minio/pkg/pull/139
>> 
>> Upstream lestrrat-go/jwx commented on minio/pkg here:
>> 
>> https://github.com/lestrrat-go/jwx/issues/1239#issuecomment-2495080886
>> 
>> Let's wait some time and see if they address it, otherwise I think
>> the golang-github-lestrrat-go-jwx-v2 path is unavoidable.
>> 
>> /Simon
>> 
>> Simon Josefsson <simon@josefsson.org> writes:
>> 
>> > Hi
>> > 
>> > The golang-github-lestrrat-go-jwx package contains the v1 branch,
>> > which upstream says is archived:
>> > 
>> > https://github.com/lestrrat-go/jwx/tree/v1?tab=readme-ov-file#users-of-githubcomlestrratgo-jwx
>> > 
>> > The v2 and v3 branches seems recommended.
>> > 
>> > I'm considering packaging buildkit (an avoidable dependency of
>> > cosign) which depends on buildkite-go-pipeline that uses the v2
>> > branch of lestrrat-go-jwx.
>> > 
>> > I tried upgrading golang-github-lestrrat-go-jwx to v2 but then the
>> > single reverse dependency golang-github-minio-pkg isn't happy:
>> > 
>> > https://salsa.debian.org/jas/golang-github-lestrrat-go-jwx/-/jobs/6622218
>> > 
>> > dpkg-checkbuilddeps: error: Unmet build dependencies: golang-
>> > github-lestrrat-go-jwx-dev (<< 2.0)
>> > 
>> > Alas upstream seems to have disabled bug reporting:
>> > https://github.com/minio/pkg
>> > 
>> > Is there any way out of this except adding
>> > golang-github-lestrrat-go-jwx-v2 that provide the v2 branch?
>> > 
>> > Could we get minio/pkg to use the v2 branch, and update
>> > golang-github-lestrrat-go-jwx to v2?
>> > 
>> > I'm going down the golang-github-lestrrat-go-jwx-v2 route now, but
>> > wanted to bring this up before filing ITP and doing the NEW upload.
>> > 
>> > /Simon
>

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- golang-github-lestrrat-go-jwx
  - From: Simon Josefsson <simon@josefsson.org>
- Re: golang-github-lestrrat-go-jwx
  - From: Simon Josefsson <simon@josefsson.org>
- Re: golang-github-lestrrat-go-jwx
  - From: Mathias Gibbens <gibmat@debian.org>

Prev by Date: Re: Should *-dev packages ship examples and testdata?
Next by Date: Re: Build of Glow fails to load
Previous by thread: Re: golang-github-lestrrat-go-jwx
Next by thread: Bug#1088084: ITP: golang-github-notaryproject-notation-core-go -- Contains support for Notary Project signature envelope, and format specific implementation
Index(es):
- Date
- Thread