Use github.com/google/go-attestation instead of github.com/smallstep/go-attestation

[jas4711]

Hi! I noticed this package uses github.com/smallstep/go-attestation which is a fork of github.com/google/go-attestation with no changes, except that it is lagging behind upstream. The Google project seems to be maintained and is seeing progress. In Debian we prefer not to duplicate code, so we only package the google upstream project. The Debian package for smallstep/certificate patches things to use the Google project instead, and this works fine as the API is compatible. I worry about this long-term though, and one suggestion is for smallstep/certificates to use upstream Google project directly instead of the apparently unmaintained smallstep/go-attestation fork.

What do you think?

[hslatman]

Hey @jas4711,

We use the surrogate branch: https://github.com/smallstep/go-attestation/tree/surrogate, which has quite a few patches that haven't been upstreamed yet. We've opened PRs in the past, as it was always the case we wanted those changes to end upt here, but there was no progress at the time. We're aware the Google repo is seeing more activity again, and we've reached out to ask whether contributions would be accepted in a timely manner now, which received a positive response. It's now on us to rebase / redo the changes.

So, right now we can't change this.

[jas4711]

Thank you! I had completely missed the surrogate branch when packaging smallstep/certificate for Debian. I will review the situation. Right now we build smallstep/certificate against github.com/google/go-attestation, so if there is something important in github.com/smallstep/go-attestation the changes semantics that will be a concern. Ouch, I'm happy to have raised the issue instead of simply ignoring it, otherwise this may have gone undetected for more time. I didn't care to raise this issue earlier because we misjudged about this dependency -- see discussion https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113699

(I completely understand if you think that Debian's approach to packaging is strange and that it feels terrible that we can even make mistakes like this without noticing -- however things are what they are... and things are usually quite ugly once you become aware of things)

[hslatman]

I believe most of our changes to go-attestation are only on the client side, and thus on the CA side they don't change much. We don't use a lot of the available API in the CA either, so things probably work as expected. But better be safe than sorry 😅