Bug#1060820: ITP: golang-github-cyberphone-json-canonicalization -- JSON Canonicalization Scheme (JCS) (Go library)
Hi Reinhard, Instead of packaging golang-github-cyberphone-json-canonicalization I uploaded a NMU for golang-webpki-org-jsoncanonicalizer to make it provide the name that rekor expects, thereby closing this ITP bug with this NMU upload. See debdiff below. What do you think about moving this package into the go-team umbrella? I can help maintain it if you agree. Before I understood that golang-webpki-org-jsoncanonicalizer was in unstable (there was no ITP bug! I though it was never uploaded) I did some work to clean up this packaging, on my 'jas-upstream' and 'jas-debian/sid' branches in URL below. That work is unfinished, but if you agree, I can move this into the go-team umbrella and make an experimental upload with updated packaging for testing. https://salsa.debian.org/jas/golang-webpki-org-jsoncanonicalizer/-/tree/jas-debian/sid /Simon diff -Nru golang-webpki-org-jsoncanonicalizer-0.20210204/debian/changelog golang-webpki-org-jsoncanonicalizer-0.20210204/debian/changelog --- golang-webpki-org-jsoncanonicalizer-0.20210204/debian/changelog 2023-11-13 02:47:06.0 +0100 +++ golang-webpki-org-jsoncanonicalizer-0.20210204/debian/changelog 2024-01-18 19:52:58.0 +0100 @@ -1,3 +1,10 @@ +golang-webpki-org-jsoncanonicalizer (0.20210204-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add link for name used by rekor. Closes: #1060820. + + -- Simon Josefsson Thu, 18 Jan 2024 19:52:58 +0100 + golang-webpki-org-jsoncanonicalizer (0.20210204-1) unstable; urgency=medium * Initial release. diff -Nru golang-webpki-org-jsoncanonicalizer-0.20210204/debian/links golang-webpki-org-jsoncanonicalizer-0.20210204/debian/links --- golang-webpki-org-jsoncanonicalizer-0.20210204/debian/links 1970-01-01 01:00:00.0 +0100 +++ golang-webpki-org-jsoncanonicalizer-0.20210204/debian/links 2024-01-18 19:52:58.0 +0100 @@ -0,0 +1 @@ +usr/share/gocode/src/webpki.org/jsoncanonicalizer usr/share/gocode/src/github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer signature.asc Description: PGP signature
Bug#1060820: ITP: golang-github-cyberphone-json-canonicalization -- JSON Canonicalization Scheme (JCS) (Go library)
Reinhard Tartler writes: > On Sun, Jan 14, 2024 at 8:36 PM Simon Josefsson wrote: > >> Package: wnpp >> Severity: wishlist >> Owner: Simon Josefsson >> >> * Package name: golang-github-cyberphone-json-canonicalization >> Version : 0.0~git20220623.57a0ce2-1 >> Upstream Author : Anders Rundgren >> * URL : https://github.com/cyberphone/json-canonicalization >> * License : Apache-2.0 >> Programming Lang: Go >> Description : JSON Canonicalization Scheme (JCS) (Go library) >> >> > I contemplated packaging this library in the past, but found it actually > contains > a lot of other stuff I didn't nede. In the end, I ended up packaging > https://salsa.debian.org/debian/golang-webpki-org-jsoncanonicalizer > which seems to be what the proposed package is "repackaing". > > In a way, I went straight for the source, I guess. Thanks -- I missed your package! No ITP bug? Your package looks cleaner, and I haven't yet figured out how to repack the golang-github-cyberphone-json-canonicalization tarball to only contain the Go code, much in the same way you did but instead extracted only the source code. I am considering to use your package instead, and haven't made the ftp-master NEW upload yet for 1060820. I wasn't able to build your package, did you forgot to push upstream branch and tags? Rekor has github.com/cyberphone/json-canonicalization in go.mod and is using that namespace: jas@kaka:~/dpkg/golang-github-sigstore-rekor$ rgrep jsoncanonicalizer . ./tests/e2e_test.go: "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" ./tests/e2e_test.go:canonicalized, err := jsoncanonicalizer.Transform(payload) ./pkg/verify/verify.go: "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" ./pkg/verify/verify.go: canonicalized, err := jsoncanonicalizer.Transform(contents) ./pkg/types/entries.go: "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" ./pkg/types/entries.go: return jsoncanonicalizer.Transform(canonicalEntry) ./pkg/api/entries.go: "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" ./pkg/api/entries.go: canonicalized, err := jsoncanonicalizer.Transform(payload) ./pkg/pki/tuf/tuf.go: "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" ./pkg/pki/tuf/tuf.go: return jsoncanonicalizer.Transform(marshalledBytes) ./pkg/pki/tuf/tuf.go: return jsoncanonicalizer.Transform(marshalledBytes) jas@kaka:~/dpkg/golang-github-sigstore-rekor$ How would I force it to use your webpki.org namespace instead, simply patch all these occurances? Is is acceptable to patch upstream Go code to use other dependencies for Debian? I haven't done this with any package, so some assistance is appreciated. For reference my rekor package lives here: https://salsa.debian.org/jas/golang-github-sigstore-rekor Is this approach really scalable? Say 100 other upstream projects end up using cyberphone namespace, then Debian has to carry patches to change namespace for all of them, which is a lot of manual work. Once I can build your package, I can experiment with using it instead of my variant that lives here (failing license and lintian checks): https://salsa.debian.org/go-team/packages/golang-github-cyberphone-json-canonicalization https://salsa.debian.org/jas/golang-github-cyberphone-json-canonicalization/-/pipelines Hmm. Thinking out loud, perhaps a simpler compromise is to use your packaging but use the upstream namespace instead of changing it to golang-webpki-org-jsoncanonicalizer and webpki.org/jsoncanonicalizer namespace? Then no dependency will require patches. /Simon signature.asc Description: PGP signature
Bug#1060820: ITP: golang-github-cyberphone-json-canonicalization -- JSON Canonicalization Scheme (JCS) (Go library)
On Sun, Jan 14, 2024 at 8:36 PM Simon Josefsson wrote: > Package: wnpp > Severity: wishlist > Owner: Simon Josefsson > > * Package name: golang-github-cyberphone-json-canonicalization > Version : 0.0~git20220623.57a0ce2-1 > Upstream Author : Anders Rundgren > * URL : https://github.com/cyberphone/json-canonicalization > * License : Apache-2.0 > Programming Lang: Go > Description : JSON Canonicalization Scheme (JCS) (Go library) > > I contemplated packaging this library in the past, but found it actually contains a lot of other stuff I didn't nede. In the end, I ended up packaging https://salsa.debian.org/debian/golang-webpki-org-jsoncanonicalizer which seems to be what the proposed package is "repackaing". In a way, I went straight for the source, I guess. Best, -rt
Bug#1060820: ITP: golang-github-cyberphone-json-canonicalization -- JSON Canonicalization Scheme (JCS) (Go library)
Package: wnpp Severity: wishlist Owner: Simon Josefsson * Package name: golang-github-cyberphone-json-canonicalization Version : 0.0~git20220623.57a0ce2-1 Upstream Author : Anders Rundgren * URL : https://github.com/cyberphone/json-canonicalization * License : Apache-2.0 Programming Lang: Go Description : JSON Canonicalization Scheme (JCS) (Go library) Cryptographic operations like hashing and signing depend on that the target data does not change during serialization, transport, or parsing. By applying the rules defined by JCS (JSON Canonicalization Scheme), data provided in the JSON [RFC8259 (https://tools.ietf.org/html/rfc8259)] format can be exchanged "as is", while still being subject to secure cryptographic operations. JCS achieves this by building on the serialization formats for JSON primitives as defined by ECMAScript [ES (https://ecma- international.org/ecma-262/)], constraining JSON data to the I-JSON [RFC7493 (https://tools.ietf.org/html//rfc7493)] subset, and through a platform independent property sorting scheme. . Public RFC: (https://tools.ietf.org/html/rfc8785) . The JSON Canonicalization Scheme concept in a nutshell: . * Serialization of primitive JSON data types using methods compatible with ECMAScript's JSON.stringify() * Lexicographic sorting of JSON Object properties in a *recursive* process * JSON Array data is also subject to canonicalization, *but element order remains untouched* I hope to maintain this package as part of Debian Go Packaging Team: https://salsa.debian.org/go-team/packages/golang-github-cyberphone-json-canonicalization /Simon signature.asc Description: PGP signature
