Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/openpgp: mark as frozen and deprecated #44226

Closed
FiloSottile opened this issue Feb 11, 2021 · 5 comments
Closed

x/crypto/openpgp: mark as frozen and deprecated #44226

FiloSottile opened this issue Feb 11, 2021 · 5 comments
Labels
Proposal Proposal-Accepted Proposal-Crypto
Projects
Milestone

Comments

@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Feb 11, 2021

March 2021 Update

This proposal was accepted and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If you find a security issue, please email security@golang.org.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, Tink for various cryptographic tools, or filippo.io/age for encryption (the latter two are not maintained by the Go team). You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering a maintained community fork of golang.org/x/crypto/openpgp. We don't endorse any specific one.


Intent

This is a proposal to freeze and deprecate but not remove the golang.org/x/crypto/openpgp package, providing only security patches going forward. Open issues and CLs would be triaged, fixed if they are security issues, and closed otherwise.

Summary

The golang.org/x/crypto/openpgp package is effectively unmaintained.

Maintaining it would require significant effort, which would not be the best use of our team's resources, and a community maintainer has not materialized.

Not communicating this clearly to users is making them a disservice, and stifling the opportunity for the community to converge on a third-party fork.

Details

OpenPGP is not something we want Go developers to use. OpenPGP is incompatible with https://golang.org/design/cryptography-principles, it's complex, fragile, and unsafe, and using it exposes applications to a dangerous ecosystem. (Just the other day there was an exploitable heap overflow in GnuPG.) Oceans of ink have been spilled about this, and a debate about the qualities of PGP wouldn't be productive for anyone, so let's keep it off topic, except to the extent that it informs team resource allocation.

Maintaining x/crypto/openpgp would require a disproportionate amount of resources. x/crypto/openpgp is the crypto package with the most open CLs, and only crypto/tls, crypto/x509, and x/crypto/ssh have a similar number of open issues. These are all packages that implement old, complex, evolving protocols with significant ecosystem complexities. crypto/tls and crypto/x509 are used by most Go applications, and x/crypto/ssh powers the DevOps ecosystem. OpenPGP doesn't deserve the same amount of resources.

image

A community maintainer did not materialize. In #30141 we decided to look for a maintainer for x/crypto/openpgp in the community. There was some discussion on golang-openpgp@googlegroups.com, but such a maintainer has not materialized. This might be partially due to not providing enough support to onboard a new maintainer, but that requires resources too, and is an investment that for obvious reasons can't be guaranteed to pay off: maintainers are free to move on and step down, at which point we'd have to start over.

There is an expectation of quality for x/crypto packages. The community has an expectation of quality for the packages provided by the Go team. x/crypto/openpgp in its current state, with its 42 open issues, simply doesn't meet that bar, and it would be a lot of work (in terms of design, review, and implementation) to get it there.

The x/crypto/openpgp API has issues. There are issues like #22312 (and probably others judging from the CLs) that would be better fixed with a new API revision. x/crypto is not going to v2 just for x/crypto/openpgp, so an API revision is more likely to happen in a third-party package.

Forks abound. Every major player that actually relies on OpenPGP and Go maintains a fork (https://github.com/keybase/go-crypto, https://github.com/ProtonMail/go-crypto, ...). Developers would be better served by finding those, and by centralizing efforts onto one, without blocking on the resource limits of the Go team. Moreover, these forks regrettably fork the whole x/crypto module, presumably to be usable as a replace in applications that import x/crypto/openpgp. This is a problem because it slows down fixes that land in other packages of x/crypto. If we let x/crypto/openpgp go, the fork(s) can hopefully eventually become a normal module that provides just the openpgp package.

@FiloSottile FiloSottile added the Proposal-Crypto label Feb 11, 2021
@gopherbot gopherbot added this to the Proposal milestone Feb 11, 2021
@ianlancetaylor ianlancetaylor added this to Incoming in Proposals Feb 12, 2021
@rsc
Copy link
Contributor

@rsc rsc commented Feb 24, 2021

I think I was one of the people arguing most for letting the community work on x/crypto/openpgp, but since no one has stepped forward, deprecating and freezing it seems like it makes sense.

And the openpgp ecosystem has lost even more traction since two years ago (when we discussed the previous proposal).

@rsc
Copy link
Contributor

@rsc rsc commented Feb 24, 2021

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc rsc moved this from Incoming to Active in Proposals Feb 24, 2021
@rsc rsc moved this from Active to Likely Accept in Proposals Mar 10, 2021
@rsc
Copy link
Contributor

@rsc rsc commented Mar 10, 2021

Based on the discussion above, this proposal seems like a likely accept.
— rsc for the proposal review group

@rsc rsc moved this from Likely Accept to Accepted in Proposals Mar 24, 2021
@rsc
Copy link
Contributor

@rsc rsc commented Mar 24, 2021

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

@rsc rsc changed the title proposal: x/crypto/openpgp: mark as frozen and deprecated x/crypto/openpgp: mark as frozen and deprecated Mar 24, 2021
@rsc rsc removed this from the Proposal milestone Mar 24, 2021
@rsc rsc added this to the Backlog milestone Mar 24, 2021
@gopherbot
Copy link

@gopherbot gopherbot commented Aug 11, 2021

Change https://golang.org/cl/341549 mentions this issue: openpgp: mark as deprecated

Mic92 added a commit to Mic92/sops that referenced this issue Aug 29, 2021
upstream no longer maintains this library:
golang/go#44226
Hence bugfixes that are not security relevant are unlikely to get fixed
as well as new features.
Hence this commit switches to protonmail's fork, which is still
regularly updated: https://github.com/ProtonMail/go-crypto
tri-adam pushed a commit to sylabs/golang-x-crypto that referenced this issue Sep 2, 2021
Finally.

Fixes golang/go#44226

Change-Id: I73de5a49357f8891afef9094ab497f389b899943
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/341549
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
tri-adam added a commit to sylabs/golang-x-crypto that referenced this issue Sep 2, 2021
Finally.

Fixes golang/go#44226

Change-Id: I73de5a49357f8891afef9094ab497f389b899943
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/341549
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

Co-authored-by: Filippo Valsorda <filippo@golang.org>
vicamo added a commit to vicamo/aptly that referenced this issue Jan 28, 2022
Internal openpgp implementation without gpg1 installed now fails due to
golang/go#29082, and that's unlikely going to
be addressed ever, because x/crypto/openpgp has been deprecated as
stated in golang/go#44226. While aptly can
still be used on legacy environments, marking the dependency inbetween
and declare the obsolete status instead.

Signed-off-by: You-Sheng Yang <vicamo@gmail.com>
hiddeco added a commit to hiddeco/sops that referenced this issue Apr 20, 2022
As `golang.org/x/crypto/openpgp` has been deprecated (see
golang/go#44226 for details).

Signed-off-by: Hidde Beydals <hello@hidde.co>
hiddeco added a commit to hiddeco/sops that referenced this issue Apr 20, 2022
As `golang.org/x/crypto/openpgp` has been deprecated (see
golang/go#44226 for details).

Signed-off-by: Hidde Beydals <hello@hidde.co>
hiddeco added a commit to hiddeco/sops that referenced this issue Apr 20, 2022
As `golang.org/x/crypto/openpgp` has been deprecated (see
golang/go#44226 for details).

Signed-off-by: Hidde Beydals <hello@hidde.co>
massar added a commit to tridentli/tools that referenced this issue May 11, 2022
Deprecated instead of just breaking the API so one notices that it is known
broken... golang/go#44226
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Proposal Proposal-Accepted Proposal-Crypto
Projects
Proposals
Accepted
Development

No branches or pull requests

3 participants