Open mikedanese opened 8 months ago
I'd be happy to review prs reducing our dependencies, or possibly making some of them optional
@mikedanese - hey, thanks for reaching out! 🚀
I definitely like the idea of trimming the dependency footprint, so if you already have something in mind feel free to share it and we'll be happy to review and incorporate it! 💯
I think the biggest "issue" here is the direct dependency on github.com/sigstore/sigstore
(which funnily enough has dependency on go-tuf v0.7.0) which in turn has a lot of dependencies itself. Otherwise there are no big deps in our chain. There are currently two PRs open #617 and #620 which reduce our direct dependencies by two. I still got a refactoring of the test suite on my table which would allow us to also drop github.com/spf13/cobra
in favor of using stdlib. I have no strong opinion on github.com/stretchr/testify
and lastly github.com/secure-systems-lab/go-securesystemslib
needs to stay imo.
As TUF operates in a central layer to my security architecture, I would like to assess and minimize the risk incurred by using go-tuf to implement the protocol.
When I create a minimal example program:
I end up with a very substantial dependency footprint.
Any appetite for paring these dependencies down? It looks like much can be reimplemented with a few lines of code and the std library. Yaml, go-jose, go-containerregistry would be good to remove. Happy to send a few PRs.