Hi Reinhard!
I think this changed a bit in the meantime: now the sigstore project has mostly shared lib code, while the individual commands (rekor, fulcio, gitsign, etc) are all in separate repos. So I expect this library to not be THAT difficult to package (the next one on my list is rekor - see #990249 - which will probably require more work).
As soon as #1022937 is done (waiting in NEW since 2 months), I expect sigstore to be a quick follow-up.
However, I'd gladly take an extra pair of eyes on the package, so I can ping you as soon as I have something that builds.
Thanks,
Leo Antunes
------- Original Message -------
On Thursday, January 19th, 2023 at 09:37, Reinhard Tartler <
siretart@gmail.com> wrote:
Hi Leo,
Thank you so much for your interest in packaging this! -- I've noticed that it is a dependency of containers/image for image signing, and have looked at this package before. Unfortunately, I got intimidated with the sheer number of unpackaged dependencies that it requires. Maybe this has improved since the last time I looked at it? In any case, I've decided to patch the source to disable signing functionality to avoid requiring code from sigstore, which is of course very unfortunate.
Let me know if you could use another set of eyeballs or help with this package. It surely seems intimidating (at least to me).
best,
-rt
Package: wnpp
Severity: wishlist
Owner: Leo Antunes <costela@debian.org>
* Package name : golang-github-sigstore-sigstore
Version : 1.5.1-1
Upstream Author : The Sigstore Authors <info@sigstore.dev>
* URL : https://github.com/sigstore/sigstore
* License : Apache-2.0
Programming Lang: Go
Description : Common go library shared across sigstore services and clients
sigstore/sigstore contains common Sigstore code: that is, code shared
by infrastructure (e.g. Fulcio and Rekor) and Go language clients (e.g.
Cosign and Gitsign.
--
regards,
Reinhard