Part of the motivation here was to remove the dependency completely (to have it removed from the go.sum). But I see the package is still used (in the test). Can it be removed completely?

@jessepeterson what is the goal of fully removing it from go.sum? The file is not intended to be ingested for determining dependencies or vulnerabilities; that should be based on go.mod. If it's solely to get a smaller/cleaner file, I think we shouldn't make our lives harder than needed.

Downstream dependencies also include references of their dependents, don't they? But more to the point if the dependency is still there.. why even remove it at all?

Well, we got rid of github.com/go-stack/stack and github.com/go-logfmt/logfmt, so that's at least something.

go-kit is only needed for the tests. If we remove its usage from the test, there's no guarantee that it'll work as expected, as the level can't be injected/faked from outside the go-kit/log package. We could choose to fully fake the logger by emulating its behavior using log/slog, though.

go-kit is used in several places in https://github.com/micromdm/scep directly, so it's already a dependency there. Removing it from this package doesn't seem to help there, unless there's plans to use a different logger?

Well, we got rid of github.com/go-stack/stack and github.com/go-logfmt/logfmt, so that's at least something.

Yep, that's great!

But here's an example project that tries to include it: https://gist.github.com/jessepeterson/671b3b7fe2140dda535dbb30166f33c4

As you can see from the go.sum it includes this project's dependencies (go-kit) when I'm not using them. No, it doesn't interfere with anything — perhaps this my own personal desire to simply de-clutter go.sum files. It irks me that dependencies I'm not using show up in my project unnecessarily. :) Probably quibbling over small details, but 🤷 .

go-kit is only needed for the tests. If we remove its usage from the test, there's no guarantee that it'll work as expected, as the level can't be injected/faked from outside the go-kit/log package. We could choose to fully fake the logger by emulating its behavior using log/slog, though.

Yeah by moving away from go-kit logging to our own logging package there is no guarantee it'll work. I think that's implied. We now guarantee that we work with our logging interface (in logger.go). It just so happens to also be compatible (at the time of writing) with Go-kit's logger interface. Yes — I would mock the logger (though, I wouldn't mock it with slog just yet — requiring Go 1.21 seems a little steep—but that's just my personal preference).

go-kit is used in several places in https://github.com/micromdm/scep directly, so it's already a dependency there. Removing it from this package doesn't seem to help there, unless there's plans to use a different logger?

Yes, micromdm/scep is heavily invested in Go-kit in general but the plan is to move away from it. Who knows when that'll come—perhaps when when we drop server capability. The Nano* projects have been using jessepeterson/go-log (embedded) for some time but have recently switched to importing micromdm/nanolib/log which is the same, just imported. We'll write an adapter to slog at some point, too.

@jessepeterson I've opened #21.

Given that implementations should adhere to the scep.Logger interface, and the fact that we already "broke" setting the debug level in the messages, I think we can do it like this.

Not sure why we got some of the new lines in go.sum after upgrading pkcs7. They're not used in the package itself 🧐

I've opened #21.

Thanks!

I'll also just add, when the eventual refactor comes about (I know, when we all have free time, right?), I would question even including a logger facility at all. This package is largely for data structures and marshaling to and fro. I'd prefer to have ways to access (or be able to export) the relevant logged data and push logging up to the package/library users. This was also brought up (forever ago) in the previous project over in micromdm/scep#62.

I just thought removing the go-kit dependency (for now) was a step along the way, considering we have a local interface defined. Fwiw the logging could be removed now and keep the API unchanged (just not using any provided logger). ;P

I've opened #21.

Thanks!

I'll also just add, when the eventual refactor comes about (I know, when we all have free time, right?), I would question even including a logger facility at all. This package is largely for data structures and marshaling to and fro. I'd prefer to have ways to access (or be able to export) the relevant logged data and push logging up to the package/library users. This was also brought up (forever ago) in the previous project over in micromdm/scep#62.

Yeah, I mostly agree. We should make use of some more sentinel errors or typed errors with appropriate context. And we could look into adding a method to get a slog.Attr from a SCEP message to ease logging, potentially with a fallback for older Go versions if deemed necessary. There's a few operations that take a couple of steps, specifically the ones that call into pkcs7. For those it might make sense to be able to optionally pass a logger for debugging purposes, as I've sometimes opted to logging i.e. DER contents of a request while looking into issues, so I'm keeping that option open for now. But I agree that it would be nicer to be able to handle it outside the package.

I just thought removing the go-kit dependency (for now) was a step along the way, considering we have a local interface defined. Fwiw the logging could be removed now and keep the API unchanged (just not using any provided logger). ;P

😅