Bug#1060840: ITP: golang-k8s-sigs-release-utils -- utilities for kubernetes Go release engineering (library)

Mon, 15 Jan 2024 06:39:43 -0800 

On Mon, Jan 15, 2024 at 10:25 PM Simon Josefsson <si...@josefsson.org> wrote:
>
> Shengjing Zhu <z...@debian.org> writes:
>
> > On Mon, Jan 15, 2024 at 9:27 PM Simon Josefsson <si...@josefsson.org> wrote:
> >>
> >> Package: wnpp
> >> Severity: wishlist
> >> Owner: Simon Josefsson <si...@josefsson.org>
> >>
> >> * Package name    : golang-k8s-sigs-release-utils
> >>   Version         : 0.7.7-1
> >>   Upstream Author : Kubernetes SIGs
> >> * URL             : https://github.com/kubernetes-sigs/release-utils
> >> * License         : Apache-2.0
> >>   Programming Lang: Go
> >>   Description     : utilities for kubernetes Go release engineering 
> >> (library)
> >>
> >>  Tiny utilities for use by the Release Engineering subproject and
> >>  kubernetes/release (https://github.com/kubernetes/release/).
> >>
> >
> > Which package will need this library? It looks strange by the name and
> > description. We certainly don't do the release stuff for kubernetes.
>
> Sigstore's rekor complained:
>
> https://salsa.debian.org/jas/golang-github-sigstore-rekor/-/jobs/5160982
>
> src/github.com/sigstore/rekor/cmd/backfill-redis/main.go:44:2: cannot find 
> package "sigs.k8s.io/release-utils/version" in any of:
>         /usr/lib/go-1.21/src/sigs.k8s.io/release-utils/version (from $GOROOT)
>         
> /builds/jas/golang-github-sigstore-rekor/debian/output/source_dir/_build/src/sigs.k8s.io/release-utils/version
>  (from $GOPATH)
>
> Use is here:
>
> https://github.com/sigstore/rekor/blob/main/cmd/backfill-redis/main.go#L44
>

Hmm, then this library is needed.

However I just checked the code in sigs.k8s.io/release-utils/version,
I'm afraid it's not compatible with how we build Go binaries in
Debian.
We don't have any VCS info when building the binaries. And we use
GOPATH mde as well. So the Go compiler can't inject any version info
in the binaries.
This code 
https://github.com/sigstore/rekor/blob/main/cmd/backfill-redis/main.go#L103
would probably just print "unknown, unknown"...

> Can you think of some other solution than packaging
> golang-k8s-sigs-release-utils?  I would be happy to learn about
> alternative approaches to reduce golang dependencies.
>
> /Simon



-- 
Shengjing Zhu

Reply via email to