Status update: - I've canceled the TUF *-v2 NEW package, prefering your advice to upgrade the existing package from v0.
- TUF 2.0.2 is uploaded into experimental: https://tracker.debian.org/pkg/golang-github-theupdateframework-go-tuf - Upstream for rekor + sigstore-sigstore replied quickly that TUF v0 is deprecated for those projects, so we can patch it out. - I've uploaded sigstore-sigstore 1.8.10-2 that disables TUF. - I've prepared rekor that also disable TUF, but I'm waiting for sigstore 1.8.10-2 to reach unstable to do test a final clean build that should be without TUF. - I've identified that golang-github-containers-image depends on TUF v0, but I cannot understand why that dependency is there? No traces in the source code. Any objections to uploading a new version without that dependency? I'm doing reverse build testing right now to make sure I'm not missing anything. - Once rekor + sigstore-sigstore + containers-image are in unstable, I believe we can upload TUF v2 into unstable too since nothing should longer rely on TUF v0 in Debian. Btw, in case some wonders 'why?', then the above are dependencies of sigstore-go which is a new package that is needed by the latest cosign, and cosign is what I'd like to get into Debian eventually. /Simon
signature.asc
Description: PGP signature
