Closed jku closed 2 months ago
Apparently the order of package names matters to pip:
pip install tuf securesystemslib[pynacl]
results in installation of securesystemslib-0.31.0 and tuf-4.0.0
pip install securesystemslib[pynacl] tuf
results in installation of securesystemslib-1.0.0 tuf-3.1.1.
(there's clearly some bug involved as well since without the extra pynacl option both commands have the same result)
I think the current code is fine for now:
We shouldn't be directly installing libraries in CI test scripts anyway: this will hopefully be fixed when we integrate #929 -- root-signing-staging has tests that avoid this already (it uses a TUF test action and actual sigstore CLI clients instead )
1224 pins tuf version which seems to fix the resolution again
The timing makes me believe the recent securesystemslib release "caused" this: the new version does not have the pynacl option anymore IIRC so that makes sense... but it shouldn't affect anything since tuf explicitly doesn't use the new securesystemslib yet :shrug:
I'll look at this next week