patflynn
commented
1 year ago I think this makes sense. I just need to break the dep from tuf back to the verifier. I was planning on doing that anyway.
On Fri, Jan 13, 2023 at 3:09 AM Vladimir Sitnikov @.***> wrote:
Description
Currently, sigstore-java is all-in-one, so users can't select the bits they need, and the dependency surface might become an issue.
For instance, generating Sigstore Bundle requires protobuf-java which is 1.5M jar, and it often has CVEs: https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java
It guess it might work slightly better if we make sigstore-java an umbrella module with little to no code, and split the implementation to sigstore-java-rekor, sigstore-java-fulcio, sigstore-java-bundle, sigstore-java-tuf,and so on.
WDYT?
— Reply to this email directly, view it on GitHub https://github.com/sigstore/sigstore-java/issues/284, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB37SHOGSZBECOAHSHRH2ZTWSEES3ANCNFSM6AAAAAAT2D4ULI . You are receiving this because you are subscribed to this thread.Message ID: @.***>
vlsi
Description
Currently, sigstore-java is all-in-one, so users can't select the bits they need, and the dependency surface might become an issue.
For instance, generating Sigstore Bundle requires
protobuf-javawhich is 1.5M jar, and it often has CVEs: https://mvnrepository.com/artifact/com.google.protobuf/protobuf-javaIt guess it might work slightly better if we make
sigstore-javaan umbrella module with little to no code, and split the implementation tosigstore-java-rekorsigstore-java-fulciosigstore-java-bundle: https://github.com/sigstore/sigstore-java/pull/262sigstore-java-tufsigstore-java-rfc3161WDYT?