Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce dependencies #23

Open
haydentherapper opened this issue Oct 26, 2023 · 1 comment
Open

Reduce dependencies #23

haydentherapper opened this issue Oct 26, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@haydentherapper
Copy link
Contributor

Description

Tracking issue to coordinate on reducing the number of dependencies in the library.

A few thoughts so far:

  • Pulling in Rekor pulls in KMS dependencies. We should look into refactoring upstream to move signing with KMS into its own package.
  • Sigstore's timestamp authority pulls in a bunch of dependencies too, while we only need verification. We can either copy code in or refactor upstream.
  • JSON libraries are pulling in mongodb for testing. Fixing this upstream is likely to be difficult though.
@haydentherapper haydentherapper added the enhancement New feature or request label Oct 26, 2023
@steiza
Copy link
Member

steiza commented Nov 3, 2023

I did some research today, motivated by wondering if Go's linker could detect code from included libraries that's not actually called.

It turns out the linker does have deadcode detection, but there are common patterns in popular libraries that cause deadcode detection to be disabled for many cases (see also golang/go#14840).

This is something that would be great for the greater Go ecosystem to fix, but is probably outside the scope of sigstore-go specifically.

steiza added a commit to steiza/rekor that referenced this issue Nov 8, 2023
@steiza
Remove go-playground/validator dependency from pkg/pki
9c6e4b4 
See sigstore/sigstore-go#23.

It might seem silly, but this reduces the size of sigstore-go by over 1 MB.
We're already using asaskevich/govalidator elsewhere in Rekor, so no new
dependencies added.

If we wanted to remove go-playground/validator entirely from Rekor (which
would shrink rekor-cli by over 1 MB as well), we'd need additional work
to rekor-cli/app/ files pflags.go and validate.go.

Signed-off-by: Zach Steindler <[email protected]>
@steiza steiza mentioned this issue Nov 8, 2023
Merged
bobcallaway pushed a commit to sigstore/rekor that referenced this issue Nov 8, 2023
@steiza
Remove go-playground/validator dependency from pkg/pki (#1817)
b681a14 
See sigstore/sigstore-go#23.

It might seem silly, but this reduces the size of sigstore-go by over 1 MB.
We're already using asaskevich/govalidator elsewhere in Rekor, so no new
dependencies added.

If we wanted to remove go-playground/validator entirely from Rekor (which
would shrink rekor-cli by over 1 MB as well), we'd need additional work
to rekor-cli/app/ files pflags.go and validate.go.

Signed-off-by: Zach Steindler <[email protected]>
steiza added a commit that referenced this issue Nov 9, 2023
@steiza
Rework pkg/tlog/entry.go to not depend on sigstore/rekor/pkg/types
e38dfb7 
See #23

This lets us reduce the size of the sigstore-go binary by over 4 MB,
since sigstore/rekor/pkg/types has many dependencies.
@steiza steiza mentioned this issue Nov 9, 2023
Closed
steiza added a commit that referenced this issue Nov 9, 2023
@steiza
Rework pkg/tlog/entry.go to not depend on sigstore/rekor/pkg/types
ec990d4 
See #23

This lets us reduce the size of the sigstore-go binary by over 4 MB,
since sigstore/rekor/pkg/types has many dependencies.

Signed-off-by: Zach Steindler <[email protected]>
@haydentherapper haydentherapper mentioned this issue Apr 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@steiza @haydentherapper