Reduce dependencies

[TheBlueMatt]

I was looking at using this crate as a part of a larger project, but noticed that the dependency list is more than a little absurd. to the point that I don't really feel comfortable trusting that many third party developers with the money of people who might use my software. Obviously dependencies are not, in principle, a bad thing, and save lots of time, but dependencies where the project is almost exclusively built by a single third party with limited review is just an opportunity for that third-party (or a threat actor who compromises the computer/Github account of that third party) to steal the money of everyone who uses breez-sdk-spark.

Just scrolling through the list of breez-sdk-spark dependencies from top to bottom, there's lots of crates that look like they get limited if any outside contribution, things like dotenvy, ecies (which is a trivial algorithm you can write yourself!), nostr, qrcode-rs, shellwords, tokio-with-wasm (which certainly doesn't need to be built for non-wasm targets!), web-time (you can just use std time when building with wasm-pack!), x509-parser, and base32 (come on, just copy the code...) probably all don't make sense in a Bitcoin wallet, and that's not even looking at recursive dependencies or other sub-crates here.

While cleaning these up all at once may be a chunk of work (or may not be, depending on how these are used!), making progress on this over time while restricting new dependencies is almost certainly a good idea.

[TheBlueMatt]

Oh, also, why use the k256 crate? The secp256k1 crate is already a transitive dependency through various sub-crates, and is a much higher-quality library.

[roeierez]

We will go over our dependencies and start removing whatever makes sense.

[TheBlueMatt]

One fairly-easy way to cut down a lot of dependencies is to switch from reqwest to bitreq (https://docs.rs/bitreq/latest/bitreq/). Its maintained as a part of rust-bitcoin's corepc crate and relies on a ton fewer dependencies (basically only tokio and rustls) and avoids anti-features like IDNs. You'll likely still have some transitive dependencies on reqwest, but hopefully over time all the rust-bitcoin world HTTP clients move over and you lose a lot of deps.

[roeierez]

One fairly-easy way to cut down a lot of dependencies is to switch from reqwest to bitreq (https://docs.rs/bitreq/latest/bitreq/). Its maintained as a part of rust-bitcoin's corepc crate and relies on a ton fewer dependencies (basically only tokio and rustls) and avoids anti-features like IDNs. You'll likely still have some transitive dependencies on reqwest, but hopefully over time all the rust-bitcoin world HTTP clients move over and you lose a lot of deps.

@TheBlueMatt We have a PR that replaces reqwest with bitreq. While it works fine natively I suspect (still didn't test) it will not work on Android. The reason is that with reqwest we had to use "native-tls" feature and I don't see such feature in bitreq which uses rust-tls ( I don't think existing feature rustls-native-certs has the same effect). Are you aware of such issue?

[TheBlueMatt]

Interesting! I believe @tnull has had the opposite experience with native-tls never working on android in ldk-node bindings. In any case, I opened a PR at rust-bitcoin/corepc#451 to allow selecting a TLS provider. I also did some work to clean up and improve the async logic in bitreq, see the dependent PR, so you might want to just upgrade once that's all released (hopefully this week or so once tobin is back).

[TheBlueMatt]

Unrelatedly, looking at the breez-sdk-common dependencies, a huge chunk of it is the hickory DNS resolver. Any idea why you're depending on it? If you're just using it for BIP 353, have you seen the dnssec-prover crate? It can query DNS records given a recursive DNS resolver (eg 8.8.8.8, 1.1.1.1, or the local resolver), build up a DNSSEC proof, and validate DNSSEC proof(s), all of which is sufficient for BIP 353 and with a lot less code.

[roeierez]

Interesting! I believe @tnull has had the opposite experience with native-tls never working on android in ldk-node bindings. In any case, I opened a PR at rust-bitcoin/corepc#451 to allow selecting a TLS provider. I also did some work to clean up and improve the async logic in bitreq, see the dependent PR, so you might want to just upgrade once that's all released (hopefully this week or so once tobin is back).

Nice! I am going to take a deeper look at the android issue this week and the support for native-tls you added for bitreq.

Unrelatedly, looking at the breez-sdk-common dependencies, a huge chunk of it is the hickory DNS resolver. Any idea why you're depending on it? If you're just using it for BIP 353, have you seen the dnssec-prover crate? It can query DNS records given a recursive DNS resolver (eg 8.8.8.8, 1.1.1.1, or the local resolver), build up a DNSSEC proof, and validate DNSSEC proof(s), all of which is sufficient for BIP 353 and with a lot less code.

Indeed it is used for BIP 353. I will take a look into replace it with dnssec_prover this week.

[roeierez]

@TheBlueMatt I have tested with rust-tls and with your PR and native-tls and both works.
We will have to test it with more android versions but this is enough to move forward and take the reqwest PR out of draft. Also we can start with rust-tls since the android package size is 5m less.