sigstore-java
sigstore-java copied to clipboard
sigstore
Split sigstore-java into several modules
Description
Currently, sigstore-java is all-in-one, so users can't select the bits they need, and the dependency surface might become an issue.
For instance, generating Sigstore Bundle requires protobuf-java which is 1.5M jar, and it often has CVEs: https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java
It guess it might work slightly better if we make sigstore-java an umbrella module with little to no code, and split the implementation to
-
sigstore-java-rekor -
sigstore-java-fulcio -
sigstore-java-bundle: https://github.com/sigstore/sigstore-java/pull/262 -
sigstore-java-tuf -
sigstore-java-rfc3161
WDYT?
I think this makes sense. I just need to break the dep from tuf back to the verifier. I was planning on doing that anyway.
On Fri, Jan 13, 2023 at 3:09 AM Vladimir Sitnikov @.***> wrote:
Description
Currently, sigstore-java is all-in-one, so users can't select the bits they need, and the dependency surface might become an issue.
For instance, generating Sigstore Bundle requires protobuf-java which is 1.5M jar, and it often has CVEs: https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java
It guess it might work slightly better if we make sigstore-java an umbrella module with little to no code, and split the implementation to sigstore-java-rekor, sigstore-java-fulcio, sigstore-java-bundle, sigstore-java-tuf,and so on.
WDYT?
— Reply to this email directly, view it on GitHub https://github.com/sigstore/sigstore-java/issues/284, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB37SHOGSZBECOAHSHRH2ZTWSEES3ANCNFSM6AAAAAAT2D4ULI . You are receiving this because you are subscribed to this thread.Message ID: @.***>
I incline it might be easier to start by committing everything together (e.g. merge bundle into sigstore-java), and then try moving classes around to see if they really split :)