-
Notifications
You must be signed in to change notification settings - Fork 935
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove repository-service-tuf
dependency from dev.txt
#15958
base: main
Are you sure you want to change the base?
Conversation
LGTM -- assuming this doesn't break anything, I think we're fine to remove this and re-add it when rstuf upgrades their (One thing I just thought of -- |
Ah yeah indeed,
|
Gotcha -- given that it's not anywhere on the critical local development path, maybe that failure is acceptable. CC @di for thoughts 🙂 (Another more invasive option here would be to create an |
Hi @woodruffw and @facutuesca, now the rstuf supports python-tuf 4.0.0 |
Cool, we'll update here (@facutuesca and I are at a company offsite so it'll be a few days). |
@kairoaraujo @woodruffw
I'm updating the description to reflect this new conflict. |
While working on #15871, which includes addingsigstore
as a dependency towarehouse
(in order to be able to verify attestations), the following dependency conflict came up:The latest version ofrepository-service-tuf
(included inrequirements/dev.txt
) pinstuf==3.1.0
as a dependency.Whereas
sigstore
requirestuf~=4.0.0
, creating a conflict.The current PR addingsigstore
as a dependency is currently a draft due to having to comment out therepository-service-tuf
dependency to avoid the conflict.While the conflict mentioned above was solved by
repository-service-tuf==0.12.0b1
, this newly released version has another conflict withwarehouse
, this time withsecuresystemslib
:warehouse
depends onsecuresystemslib==1.0.0
viaboto3
, whereasrepository-service-tuf
requires<1.0.0
:This PR removes
repository-service-tuf
from thedev.txt
dependencies.cc @woodruffw @di @kairoaraujo