On Wed, Oct 23, 2024 at 4:59 PM Simon Josefsson <si...@josefsson.org> wrote:
> Status update: > > - I've canceled the TUF *-v2 NEW package, prefering your advice to > upgrade the existing package from v0. > > - TUF 2.0.2 is uploaded into experimental: > https://tracker.debian.org/pkg/golang-github-theupdateframework-go-tuf > > - Upstream for rekor + sigstore-sigstore replied quickly that TUF v0 is > deprecated for those projects, so we can patch it out. > > - I've uploaded sigstore-sigstore 1.8.10-2 that disables TUF. > > - I've prepared rekor that also disable TUF, but I'm waiting for > sigstore 1.8.10-2 to reach unstable to do test a final clean build > that should be without TUF. > > - I've identified that golang-github-containers-image depends on TUF v0, > but I cannot understand why that dependency is there? No traces in > the source code. Any objections to uploading a new version without > that dependency? I'm doing reverse build testing right now to make > sure I'm not missing anything. > that's strange. Yeah, please feel free to upload a change to containers/image to sid that drops this dependency at your convenience. > - Once rekor + sigstore-sigstore + containers-image are in unstable, I > believe we can upload TUF v2 into unstable too since nothing should > longer rely on TUF v0 in Debian. > > Btw, in case some wonders 'why?', then the above are dependencies of > sigstore-go which is a new package that is needed by the latest cosign, > and cosign is what I'd like to get into Debian eventually. > Awesome! Thanks for looking into this! -- regards, Reinhard
