Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

internal/releasesjson: replace deprecated openpgp dependency #131

Merged
merged 1 commit into from
May 2, 2023
Merged

internal/releasesjson: replace deprecated openpgp dependency #131

merged 1 commit into from
May 2, 2023

Conversation

rolandshoemaker
Copy link
Contributor

Switches away from the deprecated, unmaintained golang.org/x/crypto/openpgp module, and replaces it with the (mostly) drop-in, maintained, github.com/ProtonMail/go-crypto/openpgp.

This is part of a wider effort by the Go Security team to remove uses of golang.org/x/crypto/openpgp from the Go ecosystem.

@rolandshoemaker
internal/releasesjson: replace deprecated openpgp dependency
5f34f6c 
Switches away from the deprecated, unmaintained golang.org/x/crypto/openpgp
module, and replaces it with the (mostly) drop-in, maintained,
github.com/ProtonMail/go-crypto/openpgp.

This is part of a wider effort by the Go Security team to remove uses of
golang.org/x/crypto/openpgp from the Go ecosystem.
radeksimko
radeksimko reviewed May 2, 2023
View reviewed changes
Copy link
Member

@radeksimko radeksimko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @rolandshoemaker
Thanks for the note and for the PR!

This looks reasonable to me. I am just asking internally to see if we have consensus on the replacement to use within HashiCorp and also to nudge other projects to replace it.

@radeksimko
Copy link
Member

There is currently no consensus, mostly because the two libraries aren't entirely equivalent.

For example, the ProtonMail implementation brings in support for ECC keys - whether or not we want that is a separate conversation to have, maybe as part of hashicorp/terraform#32056

That said, this concerns mostly Terraform providers - which hc-install is not designed to install - and the tooling we use to sign artifacts which end up at releases.hashicorp.com already uses the same ProtonMail library, even though it may not actually sign via ECC keys or use all the features which the library offers. Without judging the decision or the feature set, there is a valid argument about aligning the two IMO.

This is not the same argument one can make about your other PR though hashicorp/terraform#33131 - the situation there will require some further conversations, especially with the Terraform Registry team.

I hope the context is helpful.

@radeksimko radeksimko merged commit 686bd8b into hashicorp:main May 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@radeksimko radeksimko radeksimko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rolandshoemaker @radeksimko