Hi,
I have two issues, where in particular I would value Simon's feedback, but I think they could be of general interest.
1. We're considering adding an optional context hash to leaf signatures, outlined in https://git.glasklar.is/sigsum/project/documentation/-/merge_requests/125. This brings more flexibility, but also some new ways to misconfigure stuff.
We'll discuss this again on Tuesday's Sigsum weekly. If you have feedback before then, that would be very nice. That's rather short notice, though, so if you want to read and think about it and provide feedback later, please say so now. It would be nice to wrap up discussion and come to a decision, but it's not urgent.
2. Elias noticed that the --version option doesn't work as expected for the sigsum-go tools in debian. See https://git.glasklar.is/sigsum/core/sigsum-go/-/issues/150
I think we need additional hooks to make this easy to set appropropriately in the packaging. Suggestions on how to do this in a good way is appreciated. It would be nice if we could get this improved for the next sigsum-go release, which will likely happen in a week or two.
Regards, /Niels
For the first question, let me try to think some more first. The second one is simpler:
Niels Möller via Sigsum-general sigsum-general@lists.sigsum.org writes:
- Elias noticed that the --version option doesn't work as expected for the sigsum-go tools in debian. See https://git.glasklar.is/sigsum/core/sigsum-go/-/issues/150
I think we need additional hooks to make this easy to set appropropriately in the packaging. Suggestions on how to do this in a good way is appreciated. It would be nice if we could get this improved for the next sigsum-go release, which will likely happen in a week or two.
That is a common problem with many (maybe even most) Go packages, so Sigsum is in good company having useless --version in Debian.
One common pattern to resolve this is to use linker flags like you suggest, and this is used in some Debian packages already like this:
https://salsa.debian.org/go-team/packages/age/-/blob/debian/sid/debian/rules...
Variations on the name exists, including 'main.Version', 'main.version', 'version.Version', 'version.Revision', and some packages even include the full namespace as in -ldflags "-X sigsum.org/sigsum-go/version.Version=$V" which would make sense in a library or where multiple versions are useful to record at the same time.
If you support a scheme like that, it is easy to make use of it in packaging.
/Simon
sigsum-general@lists.sigsum.org
-
Niels Möller -
Simon Josefsson