-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove repository-service-tuf
dependency from dev.txt
#15958
Conversation
LGTM -- assuming this doesn't break anything, I think we're fine to remove this and re-add it when rstuf upgrades their (One thing I just thought of -- |
Ah yeah indeed,
|
Gotcha -- given that it's not anywhere on the critical local development path, maybe that failure is acceptable. CC @di for thoughts 🙂 (Another more invasive option here would be to create an |
Hi @woodruffw and @facutuesca, now the rstuf supports python-tuf 4.0.0 |
Cool, we'll update here (@facutuesca and I are at a company offsite so it'll be a few days). |
@kairoaraujo @woodruffw
I'm updating the description to reflect this new conflict. |
FWICT, this is slightly wrong 🙂 -- ...which is a transitive dependency of So this is still a conflict, but the conflict is because
@kairoaraujo is it possible to get this resolved? As-is, we're still going to need to remove the |
We definitely need to migrate To resolve the conflict here quickly, I suggest to temporarily replicate the cli code use by |
Sounds good, thank you! |
Previously, `repository-service-tuf` (i.e. the RSTUF cli) was used to bootstrap an RSTUF repo for development. This PR re-implements the relevant parts of the cli locally in Warehouse and removes the `repository-service-tuf` dependency, which conflicts with other dependencies. Change details - Add lightweight RSTUF API client library (can be re-used for pypi#15815) - Add local `warehouse tuf bootstrap` cli subcommand, to wraps lib calls - Invoke local cli via `make inittuf` - Remove dependency supersedes pypi#15958 (cc @facutuesca @woodruffw) Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Previously, `repository-service-tuf` (i.e. the RSTUF cli) was used to bootstrap an RSTUF repo for development. This PR re-implements the relevant parts of the cli locally in Warehouse and removes the `repository-service-tuf` dependency, which conflicts with other dependencies. Change details - Add lightweight RSTUF API client library (can be re-used for pypi#15815) - Add local `warehouse tuf bootstrap` cli subcommand, to wraps lib calls - Invoke local cli via `make inittuf` - Remove dependency supersedes pypi#15958 (cc @facutuesca @woodruffw) Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
* Replace conflicting repository-service-tuf dep Previously, `repository-service-tuf` (i.e. the RSTUF cli) was used to bootstrap an RSTUF repo for development. This PR re-implements the relevant parts of the cli locally in Warehouse and removes the `repository-service-tuf` dependency, which conflicts with other dependencies. Change details - Add lightweight RSTUF API client library (can be re-used for #15815) - Add local `warehouse tuf bootstrap` cli subcommand, to wraps lib calls - Invoke local cli via `make inittuf` - Remove dependency supersedes #15958 (cc @facutuesca @woodruffw) Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Make payload arg in tuf cli "lazy" Other than the regular click File, the LazyFile also has the "name" attribute, when passing stdin via "-". We print the name on success. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Add minimal unittest for TUF bootstrap cli Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Add unit tests for RSTUF API client lib Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> --------- Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Fixed by #16098 |
While working on #15871, which includes addingsigstore
as a dependency towarehouse
(in order to be able to verify attestations), the following dependency conflict came up:The latest version ofrepository-service-tuf
(included inrequirements/dev.txt
) pinstuf==3.1.0
as a dependency.Whereas
sigstore
requirestuf~=4.0.0
, creating a conflict.The current PR addingsigstore
as a dependency is currently a draft due to having to comment out therepository-service-tuf
dependency to avoid the conflict.While the conflict mentioned above was solved by
repository-service-tuf==0.12.0b1
, this newly released version has another conflict withwarehouse
, this time withsecuresystemslib
:warehouse
depends onsecuresystemslib==1.0.0
viaboto3
, whereasrepository-service-tuf
requires<1.0.0
:This PR removes
repository-service-tuf
from thedev.txt
dependencies.cc @woodruffw @di @kairoaraujo