cosign: proposal: remove pkg/errors dependency

Description

The pkg/errors package has been deprecated. I think remove this dependency will more maintainability.

Actually, use fmt.Errorf with %w verb.

Also, I would like to point out that they are mixed in current cosign’s souce code.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 2
  • Comments: 15 (15 by maintainers)

Most upvoted comments

I think we can say this is done! Thanks @zchee for taking this on, and for teaching me about Go analyzers in the process. 👍

+1
imjasonh on May 20, 2022

@imjasonh OK, finished initial implements pkgerrors vet tool. https://github.com/zchee/go-analyzer/tree/main/pkgerrors

$ go vet -vettool=$(which pkgerrors) github.com/sigstore/rekor/...
# github.com/sigstore/rekor/pkg/types/jar
pkg/types/jar/jar.go:66:15: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/types/intoto
pkg/types/intoto/intoto.go:66:15: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/types/hashedrekord
pkg/types/hashedrekord/hashedrekord.go:67:15: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/types/rekord
pkg/types/rekord/rekord.go:66:15: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/types/rfc3161
pkg/types/rfc3161/rfc3161.go:66:15: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/types/rpm
pkg/types/rpm/rpm.go:66:15: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/types/tuf
pkg/types/tuf/tuf.go:68:15: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/sharding
pkg/sharding/ranges.go:58:23: found use location of the deprecated github.com/pkg/errors
pkg/sharding/ranges.go:63:24: found use location of the deprecated github.com/pkg/errors
pkg/sharding/ranges.go:96:23: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/util
pkg/util/checkpoint.go:134:10: found use location of the deprecated github.com/pkg/errors
pkg/util/checkpoint.go:138:10: found use location of the deprecated github.com/pkg/errors
pkg/util/signed_note.go:49:15: found use location of the deprecated github.com/pkg/errors
pkg/util/signed_note.go:54:15: found use location of the deprecated github.com/pkg/errors
pkg/util/signed_note.go:58:15: found use location of the deprecated github.com/pkg/errors
pkg/util/signed_note.go:161:11: found use location of the deprecated github.com/pkg/errors
pkg/util/signed_note.go:166:11: found use location of the deprecated github.com/pkg/errors
pkg/util/timestamp_note.go:164:10: found use location of the deprecated github.com/pkg/errors
pkg/util/timestamp_note.go:168:10: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/types/helm
pkg/types/helm/helm.go:66:15: found use location of the deprecated github.com/pkg/errors
pkg/types/helm/provenance.go:59:10: found use location of the deprecated github.com/pkg/errors
pkg/types/helm/provenance.go:76:10: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/types/alpine
pkg/types/alpine/alpine.go:66:15: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:97:10: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:111:10: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:122:10: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:129:10: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:148:11: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:154:12: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:175:11: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:181:12: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:186:12: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:190:12: found use location of the deprecated github.com/pkg/errors
pkg/types/alpine/apk.go:199:10: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/types/intoto/v0.0.1
pkg/types/intoto/v0.0.1/entry.go:190:16: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1
pkg/types/hashedrekord/v0.0.1/entry.go:180:42: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/cmd/rekor-cli/app
cmd/rekor-cli/app/log_info.go:121:11: found use location of the deprecated github.com/pkg/errors
cmd/rekor-cli/app/pflags.go:119:14: found use location of the deprecated github.com/pkg/errors
cmd/rekor-cli/app/upload.go:143:16: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/pkg/api
pkg/api/api.go:71:15: found use location of the deprecated github.com/pkg/errors
pkg/api/api.go:79:15: found use location of the deprecated github.com/pkg/errors
pkg/api/api.go:87:16: found use location of the deprecated github.com/pkg/errors
pkg/api/api.go:96:15: found use location of the deprecated github.com/pkg/errors
pkg/api/api.go:100:15: found use location of the deprecated github.com/pkg/errors
pkg/api/api.go:104:15: found use location of the deprecated github.com/pkg/errors
pkg/api/trillian_client.go:330:15: found use location of the deprecated github.com/pkg/errors
pkg/api/trillian_client.go:334:15: found use location of the deprecated github.com/pkg/errors
# github.com/sigstore/rekor/cmd/rekor-server/app
cmd/rekor-server/app/watch.go:136:15: found use location of the deprecated github.com/pkg/errors
cmd/rekor-server/app/watch.go:140:15: found use location of the deprecated github.com/pkg/errors
cmd/rekor-server/app/watch.go:149:15: found use location of the deprecated github.com/pkg/errors
+1
zchee on May 19, 2022

FYI, also chasing down some usages in dependencies:

+1
imjasonh on May 16, 2022

I’ve sent https://github.com/sigstore/sigstore/pull/444/ to drop it from sigstore/sigstore

+1
imjasonh on May 16, 2022

@imjasonh Yeah, I focus to sigstore/cosign at first. But if you want, I’ll also cleanup to sigstore/xxx (actually, sigstore orgs) repositories.

And yes, remove all pkg/errors dependency would be hard, I think ok to +indirect.

+1
zchee on May 16, 2022

I added a quick WIP depcheck_test to help ensure we don’t depend on this and uhh…we have a lot of transitive deps on it:

--- FAIL: TestNoDeps (0.71s)
    --- FAIL: TestNoDeps/github.com/sigstore/cosign/cmd/cosign (0.71s)
        depcheck.go:126: CheckNoDependency() = github.com/sigstore/cosign/cmd/cosign depends on banned dependency github.com/pkg/errors
            github.com/sigstore/cosign/cmd/cosign
            github.com/sigstore/cosign/cmd/cosign/cli  # Also: [github.com/sigstore/cosign/cmd/cosign/cli/attach github.com/sigstore/cosign/cmd/cosign/cli/attest github.com/sigstore/cosign/cmd/cosign/cli/copy github.com/sigstore/cosign/cmd/cosign/cli/download github.com/sigstore/cosign/cmd/cosign/cli/fulcio github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier github.com/sigstore/cosign/cmd/cosign/cli/generate github.com/sigstore/cosign/cmd/cosign/cli/rekor github.com/sigstore/cosign/cmd/cosign/cli/sign github.com/sigstore/cosign/cmd/cosign/cli/triangulate github.com/sigstore/cosign/cmd/cosign/cli/upload github.com/sigstore/cosign/cmd/cosign/cli/verify github.com/sigstore/cosign/pkg/policy github.com/sigstore/cosign/pkg/sget]
            github.com/sigstore/cosign/cmd/cosign/cli/options
            github.com/awslabs/amazon-ecr-credential-helper/ecr-login
            github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api  # Also: [github.com/cockroachdb/apd/v2 github.com/containerd/stargz-snapshotter/estargz github.com/docker/cli/cli/config github.com/docker/cli/cli/config/configfile github.com/open-policy-agent/opa/ast github.com/open-policy-agent/opa/ast/location github.com/open-policy-agent/opa/bundle github.com/open-policy-agent/opa/internal/compiler/wasm github.com/open-policy-agent/opa/internal/jwx/buffer github.com/open-policy-agent/opa/internal/jwx/jwa github.com/open-policy-agent/opa/internal/jwx/jwk github.com/open-policy-agent/opa/internal/jwx/jws github.com/open-policy-agent/opa/internal/jwx/jws/sign github.com/open-policy-agent/opa/internal/jwx/jws/verify github.com/open-policy-agent/opa/internal/wasm/encoding github.com/open-policy-agent/opa/topdown github.com/sigstore/cosign/cmd/cosign/cli github.com/sigstore/cosign/cmd/cosign/cli/attach github.com/sigstore/cosign/cmd/cosign/cli/attest github.com/sigstore/cosign/cmd/cosign/cli/dockerfile github.com/sigstore/cosign/cmd/cosign/cli/fulcio github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl github.com/sigstore/cosign/cmd/cosign/cli/generate github.com/sigstore/cosign/cmd/cosign/cli/manifest github.com/sigstore/cosign/cmd/cosign/cli/options github.com/sigstore/cosign/cmd/cosign/cli/publickey github.com/sigstore/cosign/cmd/cosign/cli/sign github.com/sigstore/cosign/cmd/cosign/cli/triangulate github.com/sigstore/cosign/cmd/cosign/cli/verify github.com/sigstore/cosign/pkg/cosign github.com/sigstore/cosign/pkg/cosign/attestation github.com/sigstore/cosign/pkg/cosign/git/github github.com/sigstore/cosign/pkg/cosign/git/gitlab github.com/sigstore/cosign/pkg/cosign/kubernetes github.com/sigstore/cosign/pkg/cosign/pkcs11key github.com/sigstore/cosign/pkg/cosign/tuf github.com/sigstore/cosign/pkg/oci/internal/signature github.com/sigstore/cosign/pkg/oci/layout github.com/sigstore/cosign/pkg/oci/mutate github.com/sigstore/cosign/pkg/oci/remote github.com/sigstore/cosign/pkg/policy github.com/sigstore/cosign/pkg/sget github.com/sigstore/cosign/pkg/signature github.com/sigstore/rekor/pkg/types/hashedrekord github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1 github.com/sigstore/rekor/pkg/types/intoto github.com/sigstore/rekor/pkg/types/rekord github.com/sigstore/rekor/pkg/util github.com/sigstore/sigstore/pkg/oauthflow github.com/sigstore/sigstore/pkg/signature github.com/sigstore/sigstore/pkg/signature/kms/aws github.com/sigstore/sigstore/pkg/signature/kms/azure github.com/sigstore/sigstore/pkg/signature/kms/gcp github.com/sigstore/sigstore/pkg/signature/kms/hashivault github.com/yashtewari/glob-intersection]

The sigstore/cosign ones should be easy enough to drop, and there are also some in sigstore/sigstore and sigstore/rekor, but the rest will probably take a lot more work. At least getting them out of our own tree(s) will be nice.

+1
imjasonh on May 16, 2022

@imjasonh @dlorenc will do cleanup.

+1
zchee on May 16, 2022
Read more comments on GitHub
← cosign: Local Cert verify not working for Azure KMS
cosign: Support errors from Rego validation consistent with policy-controller's convention →