i’m aware of the dependency graph, i was talking more loosely in the sense that HTTP/2 requires TLS to work. but yeah, adding additional trust roots to the client is probably the way to go here.
i’m not sure if that repository is the current Foundation that ships with the toolchain, my understanding is that the new Foundation is still in active development and it will be some time until it supplants the Foundation that gets linked by SPM.
but at any rate, yes it is still a problem. the new Foundation is an improvement in that the heavy ICU/localization stuff has been moved to FoundationInternationalization, but the remainder of FoundationEssentials still duplicates far too much of what i already have in my server binary. (e.g. a second JSON parser, a second UUID, a second attributed string, et cetera et cetera.)
i am not hating on Foundation because i recognize it is very valuable for client applications, especially if you have many different swift binaries loaded into memory at a given time. but its architecture just isn’t a great fit for server applications where you typically have several processes launched from one binary with different arguments.