Your message dated Tue, 09 Dec 2025 10:05:56 +0100
with message-id <[email protected]>
and subject line Re: Bug#1113699: ITP: golang-github-smallstep-go-attestation
-- abstract attestation for remote machine/state validation
has caused the Debian Bug report #1113699,
regarding ITP: golang-github-smallstep-go-attestation -- abstract attestation
for remote machine/state validation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1113699: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113699
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: wnpp
Severity: wishlist
Owner: Simon Josefsson <[email protected]>
* Package name : golang-github-smallstep-go-attestation
Version : 0.4.3-1
Upstream Author : Smallstep
* URL : https://github.com/smallstep/go-attestation
* License : Apache-2.0
Programming Lang: Go
Description : abstract attestation for remote machine/state validation
Go-Attestation abstracts remote attestation operations across a variety
of platforms and TPMs, enabling remote validation of machine identity
and state. This project attempts to provide high level primitives for
both client and server logic.
Needed by modern golang-github-smallstep-certificates. I hope to
maintain this as part of the Go team.
https://salsa.debian.org/go-team/packages/golang-github-smallstep-go-attestation
https://salsa.debian.org/jas/golang-github-google-go-attestation/-/pipelines
/Simon
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
I'm closing this bug -- https://github.com/smallstep/go-attestation is a
fork of https://github.com/google/go-attestation which I packaged as
'golang-github-google-go-attestation' in Debian. The smallstep fork
does not contain any changes compared to upstream.
The smallstep fork is used by 'golang-github-smallstep-certificates'
which has a patch that is
perl -pi -e
's,"github.com/smallstep/go-attestation,"github.com/google/go-attestation,'
$(find . -type f)
and I now asked upstream to consider using that project directly instead:
https://github.com/smallstep/certificates/issues/2499
If at some point these projects really do diverge, maybe this bug can be
re-opened and things reconsidered, but right now I don't think we should
continue down the smallstep/go-attestation path.
/Simon
Simon Josefsson <[email protected]> writes:
> Christopher Obbard <[email protected]> writes:
>
>> Hi Simon,
>>
>> On Mon, 1 Sept 2025 at 10:29, Simon Josefsson <[email protected]> wrote:
>>>
>>> Package: wnpp
>>> Severity: wishlist
>>> Owner: Simon Josefsson <[email protected]>
>>>
>>> * Package name : golang-github-smallstep-go-attestation
>>> Version : 0.4.3-1
>>> Upstream Author : Smallstep
>>> * URL : https://github.com/smallstep/go-attestation
>>
>> Isn't upstream https://github.com/google/go-attestation ? Or I guess
>> this could be a required fork for the upstream?
>> It's a bit unclear to me in this current state.
>
> Yes you are right. I realized this too (just look at my mixed up
> personal salsa URL which was for the google project). Sometime it
> seemed like both of these were imported from the same project, but I
> think they could be patched to just use one of them.
>
> I will step back and attempt to package
> golang-github-google-go-attestation, so we have a baseline.
>
> Thanks for thinking about these aspects and bringing it up!
>
> /Simon
>
signature.asc
Description: PGP signature
--- End Message ---
