Hi Rekor needs kms/hashivault kms/gcp kms/azure from sigstore, and I noticed sigstore was lagging behind upstream versions. I want to learn how to prepare an updated version of a Go package with proper reverse dependency rebuilds, so took this as a learning example. I merged 1.8.0 and prepared the package, however building fails: https://salsa.debian.org/jas/golang-github-sigstore-sigstore/-/pipelines/626818 https://salsa.debian.org/jas/golang-github-sigstore-sigstore/-/jobs/5167016 Error is: # github.com/sigstore/sigstore/pkg/signature/dsse src/github.com/sigstore/sigstore/pkg/signature/dsse/multidsse.go:75:43: cannot use wL.sLAdapters (variable of type []"github.com/secure-systems-lab/go-securesystemslib/dsse".Signer) as []"github.com/secure-systems-lab/go-securesystemslib/dsse".SignerVerifier value in argument to dsse.NewEnvelopeSigner It seems golang-github-secure-systems-lab-go-securesystemslib-dev needs to be upgraded from 0.7.0 to 0.8.0 too, so I did that and rebuilt all its reverse dependencies: https://salsa.debian.org/jas/golang-github-secure-systems-lab-go-securesystemslib/-/pipelines/626772 As you can see only golang-github-sigstore-sigstore breaks, so I think these package upgrades needs to go in tandem. This seems to have happened before, so I bumped the versions: golang-github-sigstore-sigstore: Build-Depends: debhelper-compat (= 13), - golang-github-secure-systems-lab-go-securesystemslib-dev (>> 0.7), + golang-github-secure-systems-lab-go-securesystemslib-dev (>> 0.8), golang-github-secure-systems-lab-go-securesystemslib: Breaks: golang-github-containers-image-dev (<< 5.28), - golang-github-sigstore-sigstore-dev (<< 1.4.0-3~), + golang-github-sigstore-sigstore-dev (<< 1.8.0~), Rebuilding sigstore 1.8.0 with upgraded securesystemslib 0.8 and all reverse dependencies now build fine: https://salsa.debian.org/jas/golang-github-sigstore-sigstore/-/pipelines/626828 The autopkgtest itself fails, but I think that is because that particular job isn't picking up the newer securesystemslib 0.8 properly. The other jobs are picking up securesystemslib 0.8 fine (otherwise sigstore would fail, as earlier). At this point I discovered that enabling the kms/ stuff was complicated, so I decided to upload these two packages to experimental as-is for feedback. I accidentally did a amd64 upload for securesystemslib instead of a source upload, but I guess that for experimental it won't matter -- for unstable I'll be certain to do source-only uploads. Thoughts? Let me know what needs to be fixed before an upload to unstable can happen :) /Simon
Attachment:
signature.asc
Description: PGP signature