Replace ERD (Haskell) with erd-go

[barthel]

This is a follow-up of #51 .

With asciidoctor/asciidoctor-diagram#402, the Asciidoctor Diagrams team accepted the support/replacement of the Haskell-based erd (https://github.com/BurntSushi/erd) in favor of Go-based erd-go (https://github.com/kaishuu0123/erd-go/).

This step is necessary to provide Asciidoctor Docker Images in a multi-platform way (especially non x86 platforms).

[dduportal]

Juste checking erdgoand it seems that it receieved no commits since february 2021. I'm sorry I did not caught that earlier, bu it is annoying, compareed toerd` which receieved updates in november 2022.

Not a blocker, but can be an issue.

[dduportal]

Here is why it is worrying: https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/

=> We cannot guarantee the security of erd-go unless we send a PR to switch to GitHub actions and publish a new release

[pepijnve]

@dduportal are you concerned the repo may have been tainted? If so, switching to GH actions will not make much of a difference. If that's not a concern, isn't go install sufficient? AFAIK that doesn't download a precompiled binary; it compiles from source for the local target.

[barthel]

As @pepijnve mentioned, erd-go is compiled for each platform and no precompiled executables are used.

It is similar to the current integration of erd.

If you are unsure if the source code could be compromised, we can't rule that out for erd either.

Since there was no commit in the repository after the vulnerability, the risk is actually even lower here.

[dduportal]

As @pepijnve mentioned, erd-go is compiled for each platform and no precompiled executables are used.

It is similar to the current integration of erd.

If you are unsure if the source code could be compromised, we can't rule that out for erd either.

Since there was no commit in the repository after the vulnerability, the risk is actually even lower here.

That make absolut sense in regard of the security risk: I commented before looking at your PR's content and assumed we were using the binary.

Given that it is source code related, is that ok to pin to the version though (instead of latest) to add another layer of safety?

In term of sustainability, though, we'll have to consider helping the maintainer of erd-go in their effort to modernize. I'm ok to help but not alone: would that be ok for you ?

Thanks @pepijnve @barthel for these precious work, contributions and help!

[barthel]

Given that it is source code related, is that ok to pin to the version though (instead of latest) to add another layer of safety?

That makes perfect sense. I have changed the PR.