Separate cosigned into a different repository/reduce dependencies #651
Comments
|
I hope we can fix this without splitting repositories. If we make sure the packages are setup correctly and well separated it should be possible to depend on cosign without the cosigned deps. |
|
+1 if we can find a way to reduce cosign dependencies without separating cosigned that would be a win-win :) |
|
Related slack thread https://sigstore.slack.com/archives/C01PZKDL4DP/p1631407770175900?thread_ts=1631407770.175900&cid=C01PZKDL4DP TL;DR: we can try to separate cosigned into a subfolder and use replace directives with local directories to allow cosigned to pick up the latest cosign version while still keeping the dependencies separate. I will try to attempt to make a draft PR with these changes sometime next week. |
|
The main reason to keep the dependencies together is to easily maintain and test any change. If we move it to a separate subfolder that would work. |
|
Are the dependencies still a problem here? |
|
We've discussed again this topic and came to the conclusion that we prefer to keep fewer repositories since maintenance (dependencies, testing, ...) gets to be a headache over time. Closing this issue for now!. @samj1912 Feel free to re-open it. |
Description
cosign currently houses an admission controller (cosigned) which includes quite a few k8s related dependencies in the project go.mod. This inflates the dependency tree by quite a bit when trying to import cosign as a library. Even though it may not impact the output binaries, it does impact the development and dependency resolution of the projects that try to include cosign. This also includes dependency conflicts that require manual replace statements in downstream repositories like buildpacks-community/kpack#817 (comment)
Given that cosign as a library provides such critical functionality, it would be great if we could keep the dependencies to a minimum required.
The text was updated successfully, but these errors were encountered: