x/crypto/openpgp: mark as frozen and deprecated #44226
Labels
FrozenDueToAge
Proposal
Proposal-Accepted
Proposal-Crypto
Proposal related to crypto packages or other security issues
Milestone
Comments
FiloSottile
added
the
Proposal-Crypto
|
I think I was one of the people arguing most for letting the community work on x/crypto/openpgp, but since no one has stepped forward, deprecating and freezing it seems like it makes sense. And the openpgp ecosystem has lost even more traction since two years ago (when we discussed the previous proposal). |
|
This proposal has been added to the active column of the proposals project |
|
Based on the discussion above, this proposal seems like a likely accept. |
|
No change in consensus, so accepted. 🎉 |
rsc
changed the title
This was referenced Mar 29, 2021
vicamo
added a commit
to vicamo/aptly
that referenced
this issue
Jan 28, 2022
Internal openpgp implementation without gpg1 installed now fails due to golang/go#29082, and that's unlikely going to be addressed ever, because x/crypto/openpgp has been deprecated as stated in golang/go#44226. While aptly can still be used on legacy environments, marking the dependency inbetween and declare the obsolete status instead. Signed-off-by: You-Sheng Yang <vicamo@gmail.com>
This was referenced Mar 14, 2022
massar
added a commit
to tridentli/tools
that referenced
this issue
May 11, 2022
Deprecated instead of just breaking the API so one notices that it is known broken... golang/go#44226
KeisukeYamashita
pushed a commit
to kerraform/kegistry
that referenced
this issue
Jul 23, 2022
…to/openpgp It's deprecated. See golang/go#44226 Signed-off-by: KeisukeYamashita <keisuke.yamashita@linecorp.com>
LewiGoddard
pushed a commit
to LewiGoddard/crypto
that referenced
this issue
Feb 16, 2023
Finally. Fixes golang/go#44226 Change-Id: I73de5a49357f8891afef9094ab497f389b899943 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/341549 Trust: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
BiiChris
pushed a commit
to BiiChris/crypto
that referenced
this issue
Sep 15, 2023
Finally. Fixes golang/go#44226 Change-Id: I73de5a49357f8891afef9094ab497f389b899943 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/341549 Trust: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
March 2021 Update
This proposal was accepted and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.
If you find a security issue, please email security@golang.org.
If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, Tink for various cryptographic tools, or filippo.io/age for encryption (the latter two are not maintained by the Go team). You can read a summary of OpenPGP issues and alternatives here.
If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering a maintained community fork of golang.org/x/crypto/openpgp. We don't endorse any specific one.
Intent
This is a proposal to freeze and deprecate but not remove the golang.org/x/crypto/openpgp package, providing only security patches going forward. Open issues and CLs would be triaged, fixed if they are security issues, and closed otherwise.
Summary
The golang.org/x/crypto/openpgp package is effectively unmaintained.
Maintaining it would require significant effort, which would not be the best use of our team's resources, and a community maintainer has not materialized.
Not communicating this clearly to users is making them a disservice, and stifling the opportunity for the community to converge on a third-party fork.
Details
OpenPGP is not something we want Go developers to use. OpenPGP is incompatible with https://golang.org/design/cryptography-principles, it's complex, fragile, and unsafe, and using it exposes applications to a dangerous ecosystem. (Just the other day there was an exploitable heap overflow in GnuPG.) Oceans of ink have been spilled about this, and a debate about the qualities of PGP wouldn't be productive for anyone, so let's keep it off topic, except to the extent that it informs team resource allocation.
Maintaining x/crypto/openpgp would require a disproportionate amount of resources. x/crypto/openpgp is the crypto package with the most open CLs, and only crypto/tls, crypto/x509, and x/crypto/ssh have a similar number of open issues. These are all packages that implement old, complex, evolving protocols with significant ecosystem complexities. crypto/tls and crypto/x509 are used by most Go applications, and x/crypto/ssh powers the DevOps ecosystem. OpenPGP doesn't deserve the same amount of resources.
A community maintainer did not materialize. In #30141 we decided to look for a maintainer for x/crypto/openpgp in the community. There was some discussion on golang-openpgp@googlegroups.com, but such a maintainer has not materialized. This might be partially due to not providing enough support to onboard a new maintainer, but that requires resources too, and is an investment that for obvious reasons can't be guaranteed to pay off: maintainers are free to move on and step down, at which point we'd have to start over.
There is an expectation of quality for x/crypto packages. The community has an expectation of quality for the packages provided by the Go team. x/crypto/openpgp in its current state, with its 42 open issues, simply doesn't meet that bar, and it would be a lot of work (in terms of design, review, and implementation) to get it there.
The x/crypto/openpgp API has issues. There are issues like #22312 (and probably others judging from the CLs) that would be better fixed with a new API revision. x/crypto is not going to v2 just for x/crypto/openpgp, so an API revision is more likely to happen in a third-party package.
Forks abound. Every major player that actually relies on OpenPGP and Go maintains a fork (https://github.com/keybase/go-crypto, https://github.com/ProtonMail/go-crypto, ...). Developers would be better served by finding those, and by centralizing efforts onto one, without blocking on the resource limits of the Go team. Moreover, these forks regrettably fork the whole x/crypto module, presumably to be usable as a
replacein applications that import x/crypto/openpgp. This is a problem because it slows down fixes that land in other packages of x/crypto. If we let x/crypto/openpgp go, the fork(s) can hopefully eventually become a normal module that provides just the openpgp package.The text was updated successfully, but these errors were encountered: