Shengjing Zhu <z...@debian.org> writes: >> https://salsa.debian.org/jas/golang-github-sigstore-rekor/-/jobs/5160982 >> >> src/github.com/sigstore/rekor/cmd/backfill-redis/main.go:44:2: >> cannot find package "sigs.k8s.io/release-utils/version" in any of: >> /usr/lib/go-1.21/src/sigs.k8s.io/release-utils/version (from $GOROOT) >> >> /builds/jas/golang-github-sigstore-rekor/debian/output/source_dir/_build/src/sigs.k8s.io/release-utils/version >> (from $GOPATH) >> >> Use is here: >> >> https://github.com/sigstore/rekor/blob/main/cmd/backfill-redis/main.go#L44 > > Hmm, then this library is needed. > > However I just checked the code in sigs.k8s.io/release-utils/version, > I'm afraid it's not compatible with how we build Go binaries in > Debian. > We don't have any VCS info when building the binaries. And we use > GOPATH mde as well. So the Go compiler can't inject any version info > in the binaries. > This code > https://github.com/sigstore/rekor/blob/main/cmd/backfill-redis/main.go#L103 > would probably just print "unknown, unknown"...
Can we patch rekor to not use sigs.k8s.io? Deciding matters like that is a bit beyond my focus right now, but very happy to discuss and take advice (or patches) here. That sigs.k8s.io/release-utils package needs the following dependencies that we wouldn't have to package if we can someohow get rid of it as a depedency for rekor. https://salsa.debian.org/jas/golang-k8s-sigs-release-utils/-/jobs/5161034 src/sigs.k8s.io/release-utils/mage/cosign.go:24:2: cannot find package "github.com/uwu-tools/magex/pkg" in any of: src/sigs.k8s.io/release-utils/version/version.go:30:2: cannot find package "github.com/common-nighthawk/go-figure" in any of: /Simon
signature.asc
Description: PGP signature
