Split sigstore-java into several modules

[vlsi]

Description

Currently, sigstore-java is all-in-one, so users can't select the bits they need, and the dependency surface might become an issue.

For instance, generating Sigstore Bundle requires protobuf-java which is 1.5M jar, and it often has CVEs: https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java

It guess it might work slightly better if we make sigstore-java an umbrella module with little to no code, and split the implementation to

• sigstore-java-rekor
• sigstore-java-fulcio
• sigstore-java-bundle: Produce Sigstore Bundle #262
• sigstore-java-tuf
• sigstore-java-rfc3161

WDYT?

[patflynn]

I think this makes sense. I just need to break the dep from tuf back to the verifier. I was planning on doing that anyway.

…

On Fri, Jan 13, 2023 at 3:09 AM Vladimir Sitnikov ***@***.***> wrote: *Description* Currently, sigstore-java is all-in-one, so users can't select the bits they need, and the dependency surface might become an issue. For instance, generating Sigstore Bundle requires protobuf-java which is 1.5M jar, and it often has CVEs: https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java It guess it might work slightly better if we make sigstore-java an umbrella module with little to no code, and split the implementation to sigstore-java-rekor, sigstore-java-fulcio, sigstore-java-bundle, sigstore-java-tuf,and so on. WDYT? — Reply to this email directly, view it on GitHub <#284>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB37SHOGSZBECOAHSHRH2ZTWSEES3ANCNFSM6AAAAAAT2D4ULI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[vlsi]

I incline it might be easier to start by committing everything together (e.g. merge bundle into sigstore-java), and then try moving classes around to see if they really split :)