Alternative to forking `golang.org/x/crypto`

Question

Alternative to forking `golang.org/x/crypto`

Opened this issue 7 months ago · 2 comments

jpillor-macquarie commented 7 months ago

Thanks for the great work with sshpiper :)

Sorry I posted here because https://github.com/tg123/sshpiper.crypto has issues disabled. This is just a suggestion, feel free to close. I understand that doing this essentially abandons efforts to get this merged upstream to golang.org/x/crypto.

Currently https://github.com/tg123/sshpiper.crypto forks golang.org/x/crypto. This means that we have to do a mod replace for all of golang.org/x/crypto and you potentially miss critical security updates.

As an alternative, sshpiper.crypto could instead be a go module with one package: ssh, which itself imports golang.org/x/crypto

Then users of sshpiper.crypto only import the ssh package; for everything else, they stick to golang.org/x/crypto.

I have done this to avoid the mod replace, I wrote myself a list to update sshpiper.crypto

Clone https://github.com/tg123/sshpiper.crypto into tmp
Copy tmp/ssh to ./ssh
Copy tmp/internal/poly1305 to ./ssh/internal
Copy tmp/ssh/internal/bcrypt_pbkdf to ./ssh/internal
Alias PublicKey and Signature to x/crypto/ssh to maintain type compatibility

Answer 1 · 2024-01-31T03:56:41.000Z

what i have to is watch upstream and update timely

i did not get how your solution works, could you please send a pr?

Answer 2 · 2024-03-08T03:20:52.000Z

We had the same problem.