Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce dependencies #23

Open
haydentherapper opened this issue Oct 26, 2023 · 1 comment
Open

Reduce dependencies #23

haydentherapper opened this issue Oct 26, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@haydentherapper
Copy link
Contributor

Description

Tracking issue to coordinate on reducing the number of dependencies in the library.

A few thoughts so far:

  • Pulling in Rekor pulls in KMS dependencies. We should look into refactoring upstream to move signing with KMS into its own package.
  • Sigstore's timestamp authority pulls in a bunch of dependencies too, while we only need verification. We can either copy code in or refactor upstream.
  • JSON libraries are pulling in mongodb for testing. Fixing this upstream is likely to be difficult though.
@haydentherapper haydentherapper added the enhancement New feature or request label Oct 26, 2023
@steiza
Copy link
Member

steiza commented Nov 3, 2023

I did some research today, motivated by wondering if Go's linker could detect code from included libraries that's not actually called.

It turns out the linker does have deadcode detection, but there are common patterns in popular libraries that cause deadcode detection to be disabled for many cases (see also golang/go#14840).

This is something that would be great for the greater Go ecosystem to fix, but is probably outside the scope of sigstore-go specifically.

steiza added a commit to steiza/rekor that referenced this issue Nov 8, 2023
See sigstore/sigstore-go#23.

It might seem silly, but this reduces the size of sigstore-go by over 1 MB.
We're already using asaskevich/govalidator elsewhere in Rekor, so no new
dependencies added.

If we wanted to remove go-playground/validator entirely from Rekor (which
would shrink rekor-cli by over 1 MB as well), we'd need additional work
to rekor-cli/app/ files pflags.go and validate.go.

Signed-off-by: Zach Steindler <steiza@github.com>
bobcallaway pushed a commit to sigstore/rekor that referenced this issue Nov 8, 2023
See sigstore/sigstore-go#23.

It might seem silly, but this reduces the size of sigstore-go by over 1 MB.
We're already using asaskevich/govalidator elsewhere in Rekor, so no new
dependencies added.

If we wanted to remove go-playground/validator entirely from Rekor (which
would shrink rekor-cli by over 1 MB as well), we'd need additional work
to rekor-cli/app/ files pflags.go and validate.go.

Signed-off-by: Zach Steindler <steiza@github.com>
steiza added a commit that referenced this issue Nov 9, 2023
See #23

This lets us reduce the size of the sigstore-go binary by over 4 MB,
since sigstore/rekor/pkg/types has many dependencies.
steiza added a commit that referenced this issue Nov 9, 2023
See #23

This lets us reduce the size of the sigstore-go binary by over 4 MB,
since sigstore/rekor/pkg/types has many dependencies.

Signed-off-by: Zach Steindler <steiza@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants