Replace Deprecated UUID Package

[tri-adam]

The github.com/satori/go.uuid module used by this project does not appear to be actively maintained (ref).

We should consider switching to the github.com/gofrs/uuid package, or some other suitable alternative.

[tri-adam]

Did a little research into this. The github.com/gofrs/uuid package lacks a go.mod, with an explanation offered in gofrs/uuid#85. Personally, that feels a little off-putting to me, and I think we'd be wise to consider alternatives.

github.com/google/uuid seems to be the other, obvious alternative.

The uuid.UUID type is used in two exported struct fields in the SIF API:

sif/pkg/sif/sif.go

Line 270 in c256955

ID uuid.UUID // image unique identifier

sif/pkg/sif/sif.go

Line 319 in c256955

ID uuid.UUID // image unique identifier

Strictly speaking, the semantics of Go module versioning require a major version bump to implement this backwards incompatible change (see here for more info.)

[cameracker]

Hey!

I wandered into this issue because someone posted on that issue you linked. I wanted to mention that this repo is using a version of satori/go.uuid that has a CVE filed against it because periodically the UUIDs will be about 50% 0's. This problem is fixed on master but the maintainer failed to tag it.

It seems like the recommendations in the issue here are pretty great! But I'd suggest expediency.

[tri-adam]

Thank you for the heads up @cameracker, much appreciated!

I've gone ahead and opened up #8 as a short-term solution to this that doesn't require a major version bump.

We still need to move away from that module to something that is maintained, but this buys us some time to consider if there are any other breaking changes we want to introduce with the new major version of this module.