Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why this fork exists #1

Open
kofalt opened this issue Sep 6, 2022 · 0 comments
Open

Why this fork exists #1

kofalt opened this issue Sep 6, 2022 · 0 comments

Comments

@kofalt
Copy link
Owner

kofalt commented Sep 6, 2022
edited
Loading

What's this for?

The excellent lestrrat-go/jwx depends on a cryptocurrency project decred/dcrd, which raises an eyebrow in go.mod.

Why does it need dcrd?

Dcrd has a secp256k1 package:

Package secp256k1 implements optimized secp256k1 elliptic curve operations.

If you're not using this, you don't need dcrd.

Is dcrd malicious?

Unknown, because I have not investigated their project or team at all.
I just avoid importing cryptocurrency projects on general principle.

What do you do?

I remove the ~2 tiny files that need dcrd, and remove dcrd from various go.mod files.
This is done from an upstream release. See the top of the v2 branch for an example.

What could improve this situation?

  1. Dcrd maintainers could separate out their secp256k1 module.
  2. Someone could fork dcrd, strip it down to secp256k1, and maintain it.
  3. Jwx maintainers could add a mechanism to register third-party curves, and drop their go.mod entry.

Do you plan to do (or suggest) any of that?

No. Post here if you do.

Does this matter?

Probably not. It may be that the build tags in es256k takes care of things, and dcrd just sits there in go.sum.

What releases are available?

For clarity this repo will only hold the v2 branch and tags that are modified.
Each modified tag is paired with its upstream variant by adding -no-cc to the end.

For example, to use this fork's variant of v2.0.20:

require (
	github.com/lestrrat-go/jwx/v2 v2.0.20
)

replace github.com/lestrrat-go/jwx/v2 => github.com/kofalt/jwx-no-cryptocurrency/v2 v2.0.20-no-cc

Maintainer notes

Updating this fork:

# Clone & add upstream
git clone git@github.com:kofalt/jwx-no-cryptocurrency
cd jwx-no-cryptocurrency
git remote add upstream git@github.com:lestrrat-go/jwx
git fetch upstream

# Look at the upstream/v2 commit log; decide on a release tag
export ver="v2.0.20"
git checkout "$ver"

# Remove "dcrd" entries from go.mod and go.sum; remove related files
rm jwk/es256k.go jwk/es256k_test.go

# Check the build
go build -v

# Review & commit
ga .
git commit -m "Remove github.com/decred/dcrd"
git tag "$ver-no-cc"
git push origin "$ver-no-cc"

# Reset the branch
git branch -D v2
git co -b v2
git push -f origin v2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kofalt