migrate to crypton-x509

[juhp]

crypton-x509* is replacing the x509* libraries.

Note the x509* library are still in Stackage Nightly at this time - this is a first heads-up

x509 (Grandfathered dependencies) (not present) depended on by:

• aws-sns-verify-0.0.0.2 (>=1.7.5). Freckle Engineering freckle-engineering@renaissance.com @pbrisbin @mjgpy3 @StevenXL. Used by: library
• crypton-x509-1.7.6 (-any). Grandfathered dependencies. Used by: test-suite
• cryptostore-0.3.0.0 (>=1.7.5). Grandfathered dependencies. Used by: library
• jose-0.10 (>=1.4). Fraser Tweedale frase@frase.id.au @frasertweedale. Used by: library
• jwt-0.11.0 (-any). Brian McKenna brian@brianmckenna.org @puffnfresh. Used by: library
• network-simple-tls-0.4.1 (-any). Renzo Carbonara renzocarbonara@gmail.com @k0001. Used by: library
• postgresql-typed-0.6.2.2 (-any). Dylan Simon dylan-stack@dylex.net @dylex. Used by: library
• tcp-streams-1.0.1.1 (>=1.5 && < 2.0). Winter Han winterland1989@gmail.com @winterland1989. Used by: library
• wai-saml2-0.4 (< 2). Michael B. Gale github@michael-gale.co.uk @mbg. Used by: library
• warp-tls-uid-0.2.0.6 (-any). Yoshikuni Jujo PAF01143@nifty.ne.jp @YoshikuniJujo. Used by: library

x509-store (Grandfathered dependencies) (not present) depended on by:

• jwt-0.11.0 (-any). Brian McKenna brian@brianmckenna.org @puffnfresh. Used by: library
• network-simple-tls-0.4.1 (-any). Renzo Carbonara renzocarbonara@gmail.com @k0001. Used by: library
• postgresql-typed-0.6.2.2 (-any). Dylan Simon dylan-stack@dylex.net @dylex. Used by: library
• tcp-streams-1.0.1.1 (>=1.5 && < 2.0). Winter Han winterland1989@gmail.com @winterland1989. Used by: library
• wai-saml2-0.4 (< 2). Michael B. Gale github@michael-gale.co.uk @mbg. Used by: library

x509-system (Grandfathered dependencies) (not present) depended on by:

• amqp-utils-0.6.3.2 (-any). Frank Doepper stackage@woffs.de @woffs. Used by: executable
• network-simple-tls-0.4.1 (-any). Renzo Carbonara renzocarbonara@gmail.com @k0001. Used by: library
• pontarius-xmpp-0.5.6.5 (>=1.4). Sergey Alirzaev zl29ah@gmail.com @l29ah. Used by: library
• tcp-streams-1.0.1.1 (>=1.5 && < 2.0). Winter Han winterland1989@gmail.com @winterland1989. Used by: library

x509-validation (Grandfathered dependencies) (not present) depended on by:

• aws-sns-verify-0.0.0.2 (>=1.6.11). Freckle Engineering freckle-engineering@renaissance.com @pbrisbin @mjgpy3 @StevenXL. Used by: library
• cryptostore-0.3.0.0 (>=1.5). Grandfathered dependencies. Used by: library
• network-simple-tls-0.4.1 (-any). Renzo Carbonara renzocarbonara@gmail.com @k0001. Used by: library
• postgresql-typed-0.6.2.2 (-any). Dylan Simon dylan-stack@dylex.net @dylex. Used by: library

Please migrate your packages to crypton-x509*

[phadej]

@juhp tls-1.7.0 seems to use crypton

[l29ah]

what

[juhp]

Thanks I updated the description

[l29ah]

Was there anything bad with the old library name or what's the reason?

[juhp]

I haven't seen a broad announcement yet but yesodweb/wai#931 has some more context.

[woffs]

pushed amqp-utils-0.6.4.0 which uses crypton-connection and crypton-x509. Unfortunately there is to be waited for xtendo-org/rawfilepath#7 to be built cleanly.

[pbrisbin]

aws-sns-verify-0.0.0.3 released: https://hackage.haskell.org/package/aws-sns-verify-0.0.0.3/dependencies

[ysangkok]

jose was fixed on Oct 31.

[ysangkok]

I don't think the crypton-x509 is so critical to upgrade to, given that Kazu Yamamoto has uploader rights to x509, as you can see on hackage. So I am not sure what this issue is tracking, since both of those packages can co-exist.

[chreekat]

@ysangkok I'm pretty sure x509 is in the set of packages that Vincent has asked be abandoned. crypton-x509 is a replacement the same way crypton is. I doubt Kazu forked the repo/package just to keep updating the original. Getting everyone to switch ahead of time is a good proactive move.

I guess we can just ask @kazu-yamamoto directly if this is the right move.

[kazu-yamamoto]

I don't maintainx509 anymore because I maintain crypton-*.

[juhp]

Yeah could probably close this now

[mihaimaruseac]

The list of packages currently still depending on x509-*:

x509 (not present) depended on by:

• cryptostore-0.3.1.0 (>=1.7.5). Grandfathered dependencies. Used by: library
• jwt-0.11.0 (>=0). Brian McKenna brian@brianmckenna.org @puffnfresh. Used by: library
• wai-saml2-0.5 (< 2). Michael B. Gale github@michael-gale.co.uk @mbg. Used by: library

x509-store (not present) depended on by:

• jwt-0.11.0 (>=0). Brian McKenna brian@brianmckenna.org @puffnfresh. Used by: library
• wai-saml2-0.5 (< 2). Michael B. Gale github@michael-gale.co.uk @mbg. Used by: library

x509-validation (not present) depended on by:

• cryptostore-0.3.1.0 (>=1.5). Grandfathered dependencies. Used by: library

I'll make a PR and try to remove as many of them as possible

[mihaimaruseac]

Closing, but note that we had to remove 2 additional packages that transitively depended on x509* packages (via jwt):

jwt (not present) depended on by:

• github-rest-1.1.4 (>=0.9 && < 0.12). Brandon Chinn brandonchinn178@gmail.com @brandonchinn178. Used by: library
• gmail-simple-0.1.0.6 (>=0). Daniel Casanueva daniel.casanueva@proton.me @Daniel-Diaz. Used by: library

[ysangkok]

it seems like crypton-x509's test suite is also depending on x509. i've made an issue:

• crypton-x509's test suite depends on x509 kazu-yamamoto/crypton-certificate#10

[mbg]

FWIW, I prepared a PR for wai-saml2 to change the dependencies back when I got tagged here, but I was hoping that more context than the issue linked to in this comment would be added here before merging that.

Perhaps I am out of the loop with what's going on in the Haskell world, but it seems a big ask to just change security critical dependencies without much of an explanation for why that needs to happen and why I should trust the replacements.

I followed through a few issues and came across haskell-infra/hackage-trustees#396 which doesn't seem to be resolved yet.

[ysangkok]

@mbg It's unfortunate, but the summary of it all is that Vincent doesn't want to pass on maintainership of the packages. The crypton packages are maintained by Kazu Yamamoto, and he already maintains a lot of notable packages, so you're probably already trusting him.

See

• using crypton yesodweb/wai#931 (comment) , which has comments from Kazu indicating that he couldn't take over the existing packages.
• This thread has a few more comments from Vincent: reassign vincent hanquez packages #7336 (comment)

Considering that cryptonite has bugs that are fixed in crypton, I think it's reasonable to switch. And it seems excessively conservative to stick with something just because it's what you're already depending on. There are open issues with cryptonite.