Par unnecessary dependencies

[mikedanese]

As TUF operates in a central layer to my security architecture, I would like to assess and minimize the risk incurred by using go-tuf to implement the protocol.

When I create a minimal example program:

$ mkdir -p go-tuf-example && cd go-tuf-example
$ go mod init github.com/mikedanese/go-tuf-example
$ cat <<EOF > main.go
package main

import "github.com/theupdateframework/go-tuf/v2/metadata/repository"

func main() {
        repository.New()
}
EOF
$ go get ./...
go: added github.com/google/go-containerregistry v0.17.0
go: added github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e
go: added github.com/opencontainers/go-digest v1.0.0
go: added github.com/secure-systems-lab/go-securesystemslib v0.8.0
go: added github.com/sigstore/sigstore v1.8.1
go: added github.com/theupdateframework/go-tuf/v2 v2.0.0-20240130081036-9d5773172084
go: added github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
go: added golang.org/x/crypto v0.18.0
go: added golang.org/x/exp v0.0.0-20230321023759-10a507213a29
go: added golang.org/x/sys v0.16.0
go: added golang.org/x/term v0.16.0
go: added gopkg.in/go-jose/go-jose.v2 v2.6.1
go: added gopkg.in/yaml.v3 v3.0.1
$ go mod tidy
$ go mod vendor

I end up with a very substantial dependency footprint.

Any appetite for paring these dependencies down? It looks like much can be reimplemented with a few lines of code and the std library. Yaml, go-jose, go-containerregistry would be good to remove. Happy to send a few PRs.

[mnm678]

I'd be happy to review prs reducing our dependencies, or possibly making some of them optional

[rdimitrov]

@mikedanese - hey, thanks for reaching out! 🚀

I definitely like the idea of trimming the dependency footprint, so if you already have something in mind feel free to share it and we'll be happy to review and incorporate it! 💯

[MDr164]

I think the biggest "issue" here is the direct dependency on github.com/sigstore/sigstore (which funnily enough has dependency on go-tuf v0.7.0) which in turn has a lot of dependencies itself. Otherwise there are no big deps in our chain. There are currently two PRs open #617 and #620 which reduce our direct dependencies by two. I still got a refactoring of the test suite on my table which would allow us to also drop github.com/spf13/cobra in favor of using stdlib. I have no strong opinion on github.com/stretchr/testify and lastly github.com/secure-systems-lab/go-securesystemslib needs to stay imo.