webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon duo-labs

Revoke dependency leads to broken import of google.golang.org/grpc/naming

Open hdm opened this issue 4 years ago • 9 comments

A long chain of dependencies is introduced via revoke's CT support. This currently leads to a broken module dependency for GRPC:

        github.com/duo-labs/webauthn/protocol imports
        github.com/duo-labs/webauthn/metadata imports
        github.com/cloudflare/cfssl/revoke imports
        github.com/cloudflare/cfssl/helpers imports
        github.com/google/certificate-transparency-go imports
        go.etcd.io/etcd imports
        github.com/coreos/etcd/etcdmain imports
        github.com/coreos/etcd/proxy/grpcproxy imports
        google.golang.org/grpc/naming: module google.golang.org/grpc@latest found (v1.30.0), but does not contain package google.golang.org/grpc/naming

Edit: It looks like revoke's validation is needed here. Any suggestions for fixing this dependency issue?

hdm avatar Jul 19 '20 15:07 hdm

It looks like the workaround (until upstream is fixed) is:

go get google.golang.org/[email protected] (or use a go.mod redirect)

hdm avatar Jul 19 '20 15:07 hdm

Thanks @hdm! Tagging in @nicksteele to collaborate on the best way to fix this issue.

jordan-wright avatar Jul 19 '20 18:07 jordan-wright

This issue is still unresolved. It would be nice to be able to remove the dependency of the problem ...

vvakame avatar Apr 10 '21 06:04 vvakame

@iftimasum

iftimasum avatar Jun 14 '21 21:06 iftimasum

Is there maybe an equal lib like cloudflare's that doesn't introduce such a large dependency tree? Or maybe we could fork the revoke module? The problem is that Go 1.18 is much more strict about dependencies and the original workaround does not seem to work any more. It's also problematic when the project consumes grpc and needs a specific (higher version).

aeneasr avatar Apr 03 '22 15:04 aeneasr

I think the forking idea may be the best one, though it's not entirely easy. That lib is horrible. The only usage of the model is in metadata to check the validity of devices via their certs as you have probably identified.

james-d-elliott avatar Apr 03 '22 21:04 james-d-elliott

I have run into a similar problem. I created a fork of CFSSL that has just enough functionality for this project. I have changed only import paths in the code and deleted unnecessary things, so that practically no dependency comes with it. If anyone is interested: https://github.com/Isolus/cfssl-revoke

Isolus avatar Sep 03 '22 23:09 Isolus

@Isolus Nice work! Would you be able to open a PR to switch the dependency?

hdm avatar Sep 04 '22 02:09 hdm

PR with forked cfssl is https://github.com/duo-labs/webauthn/pull/150. It would be nice to merge or maybe duo-labs should provide similar fork in their own repo?

tobiaszheller avatar Sep 26 '22 06:09 tobiaszheller