Package: golang-github-in-toto-go-witness Severity: important This package has some upstream bugs that IMHO makes it challenging to properly make use of in Debian yet:
https://github.com/in-toto/go-witness/issues/684 https://github.com/in-toto/go-witness/issues/685 https://github.com/in-toto/go-witness/issues/676 The last bug, missing cosign v3 support, is not yet a deal-breaker, because Debian only has cosign v2, but we really would like to move to cosign v3, and the only blocker in Debian for this would be this package. So I think cosign v3 is more important than having go-witness which needs v2. We could package cosign v2 separately, if go-witness will never upgrade to cosign v3 and is still useful to have in testing. Re missing arch support, I'm not sure how to best deal with that, if upstream doesn't fix that bug. I had a similar problem with another package, and I don't yet know of a solution how to express this situation in debian/* yet, see: https://lists.debian.org/debian-go/2026/03/msg00065.html The circular dependency issue is possible to work around, both packages got into the archive after all, but it is a real pain. If someone wants to get this into testing, just lower the severity of this and discuss it (and be prepared to sort out the resulting mess). /Simon
signature.asc
Description: PGP signature
