Bug#1061446: cosign: first binary packages available

To: debian-go@lists.debian.org
Cc: 1061446@bugs.debian.org
Subject: Bug#1061446: cosign: first binary packages available
From: Simon Josefsson <simon@josefsson.org>
Date: Sun, 01 Dec 2024 14:48:29 +0100
Message-id: <[🔎] 874j3nv7iq.fsf_-_@kaka.sjd.se>
Reply-to: Simon Josefsson <simon@josefsson.org>, 1061446@bugs.debian.org
In-reply-to: <87ttbv2zk5.fsf_-_@kaka.sjd.se> (Simon Josefsson's message of "Mon, 25 Nov 2024 14:49:46 +0100")
References: <87ed3620tj.fsf@kaka.sjd.se> <87y11861nu.fsf@kaka.sjd.se> <87ttbv2zk5.fsf_-_@kaka.sjd.se> <87a5outz7c.fsf@kaka.sjd.se>

All,

After some insight from upstream about TUFv0 vs TUFv2 use by cosign,
there is finally a Salsa built cosign package to test!

echo "deb [trusted=yes] https://salsa.debian.org/jas/cosign/-/jobs/6682245/artifacts/raw/aptly experimental main" | tee --append /etc/apt/sources.list.d/add.list
sudo apt-get update
sudo apt-get install cosign
cosign version

If you know how to use cosign, please try the various sub-commands and
tell us what works and what doesn't.

The packaging is still rough (no man page and no self-tests), but I've
uploaded it into NEW for copyright review to get started.

For those wondering how the TUFv0-vs-v2 dilemma is resolved, you may not
want to know but here is the story:

x) The problem is that cosign requires both github.com/sigstore/sigstore
("ss") and github.com/sigstore/sigstore-go ("ssg"), and that ss depends
on TUFv0 and ssg depends on TUFv2, and further TUF branches are not
released in a namespace-clean way so v0 and v2 cannot be co-installed in
Debian.

x) Upstream discussions implied that we could simply try to patch
things, pending their upstream resolution to this (which may not happen
until cosign v3 and I'm not holding my breath on that).

x) I've uploaded golang-github-sigstore-sigstore 1.8.10-3~exp0 to
experimental that again ships pkg/tuf/ and pkg/fulcioroots/ but patched
to use my own invention of a github.com/theupdateframework/go-tuf/v0
namespace from the golang-github-theupdateframework-go-tuf-dev >>
2.0.2+0.7.0.  Any other packages that require TUFv0 will need similar
patching, but I expect/hope this to be minimal.

x) I've uploaded golang-github-theupdateframework-go-tuf 2.0.2+0.7.0-1
to experimental that includes a new orig.tar component of the v0 0.7.0
branch, and some patching to rename all references to
github.com/theupdateframework/go-tuf into
github.com/theupdateframework/go-tuf/v0 when building the v0 component,
and bringing back some old debian/copyright and build magic from the
earlier TUF 0.6.1-1 upload.

Better solutions are welcome!  I'm hoping github.com/sigstore/sigstore
will drop the TUFv0 dependency, or that github.com/sigstore/cosign will
drop the github.com/sigstore/sigstore dependency, so that we can drop
this ugly hack, and hopefully do that before trixie.

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bug#1008321: RFP: btdu -- stochastic disk use analyzer for btrfs
Next by Date: Bug#1088791: ITP: plattenalbum -- Client for the Music Player Daemon (MPD)
Previous by thread: Bug#1008321: RFP: btdu -- stochastic disk use analyzer for btrfs
Next by thread: Bug#1088791: ITP: plattenalbum -- Client for the Music Player Daemon (MPD)
Index(es):
- Date
- Thread