sigstore-python icon indicating copy to clipboard operation
sigstore-python copied to clipboard
verified publisher icon sigstore

Refactor: remove `betterproto` dep

Open woodruffw opened this issue 1 year ago • 5 comments

Our dependency on betterproto is a source of a few issues:

  1. We currently depend on the 2.x series, which is only in beta (currently 2.0.0b6). This is both non-ideal and is incompatible with some Python installers, most notably uv: https://github.com/astral-sh/uv/blob/main/PIP_COMPATIBILITY.md#pre-release-compatibility
  2. betterproto's handling of the Struct WKT is partially broken. I've tried to fix it, but round-tripping a JSON serialized message through a Struct is still impossible, which causes all kinds of problems for the (mostly in-toto) definitions that use Struct
  3. Finally, the models and their APIs themselves aren't particularly Pythonic -- this is more of an issue with protobuf itself than betterproto, but results in development friction and impedance mismatches elsewhere that we have to paper over

As such, we should probably remove our dependency on betterproto in the medium term. There are a few blockers to doing this:

  1. The Bundle, etc. models all come from protobuf-specs, which is currently built on top of betterproto for the Python bindings.
  2. There are (probably) a few places we leak references to betterproto-generated models in Sigstore's public APIs

(1) is probably addressable either by re-modeling the relevant parts of protobuf-specs in pydantic, or by regenerating the Python bindings on top of the JSON Schema for protobuf-specs. (2) may require a major reversion.

CC @darkamaul since he noticed this 🙂

woodruffw avatar Jun 20 '24 14:06 woodruffw

Not immediately useful, but saving this here so I don't forget it: https://github.com/criccomini/proto-schema-parser

woodruffw avatar Aug 14 '24 15:08 woodruffw

I wanted to report that betterproto 2.0.0b7 was released in August (and that sigstore fails tests against it), but given this issue, is there a point?

mgorny avatar Sep 27 '24 18:09 mgorny

That is indeed good to know! We're still planning on dropping our dependency on it, but we should test against the latest in the mean time. I'll start a PR for that.

Edit: It's technically a transitive dep via sigstore-protobuf-specs, so I'll pursue there.

woodruffw avatar Sep 27 '24 18:09 woodruffw

Thanks! It would really be appreciated, given that b6 is partially broken with modern pydantic (though I don't think it affects sigstore, but its reproduced with its own test suite).

mgorny avatar Sep 27 '24 18:09 mgorny

https://github.com/sigstore/protobuf-specs/pull/404 has the bump, thanks again! I'll get a version of that package cut and then bump here once it's ready.

woodruffw avatar Sep 27 '24 18:09 woodruffw

This has taken on a renewed importance for me, since it's making an integration I want to do harder than it should be.

woodruffw avatar Jul 17 '25 22:07 woodruffw

This should now be done in main since #1470 replaces sigstore-protobuf-specs with sigstore-models (and the latter does not depend on betterproto)

jku avatar Aug 11 '25 15:08 jku