[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1061446: cosign: first binary packages available



All,

After some insight from upstream about TUFv0 vs TUFv2 use by cosign,
there is finally a Salsa built cosign package to test!

echo "deb [trusted=yes] https://salsa.debian.org/jas/cosign/-/jobs/6682245/artifacts/raw/aptly experimental main" | tee --append /etc/apt/sources.list.d/add.list
sudo apt-get update
sudo apt-get install cosign
cosign version

If you know how to use cosign, please try the various sub-commands and
tell us what works and what doesn't.

The packaging is still rough (no man page and no self-tests), but I've
uploaded it into NEW for copyright review to get started.

For those wondering how the TUFv0-vs-v2 dilemma is resolved, you may not
want to know but here is the story:

x) The problem is that cosign requires both github.com/sigstore/sigstore
("ss") and github.com/sigstore/sigstore-go ("ssg"), and that ss depends
on TUFv0 and ssg depends on TUFv2, and further TUF branches are not
released in a namespace-clean way so v0 and v2 cannot be co-installed in
Debian.

x) Upstream discussions implied that we could simply try to patch
things, pending their upstream resolution to this (which may not happen
until cosign v3 and I'm not holding my breath on that).

x) I've uploaded golang-github-sigstore-sigstore 1.8.10-3~exp0 to
experimental that again ships pkg/tuf/ and pkg/fulcioroots/ but patched
to use my own invention of a github.com/theupdateframework/go-tuf/v0
namespace from the golang-github-theupdateframework-go-tuf-dev >>
2.0.2+0.7.0.  Any other packages that require TUFv0 will need similar
patching, but I expect/hope this to be minimal.

x) I've uploaded golang-github-theupdateframework-go-tuf 2.0.2+0.7.0-1
to experimental that includes a new orig.tar component of the v0 0.7.0
branch, and some patching to rename all references to
github.com/theupdateframework/go-tuf into
github.com/theupdateframework/go-tuf/v0 when building the v0 component,
and bringing back some old debian/copyright and build magic from the
earlier TUF 0.6.1-1 upload.

Better solutions are welcome!  I'm hoping github.com/sigstore/sigstore
will drop the TUFv0 dependency, or that github.com/sigstore/cosign will
drop the github.com/sigstore/sigstore dependency, so that we can drop
this ugly hack, and hopefully do that before trixie.

/Simon

Attachment: signature.asc
Description: PGP signature


Reply to: