sshpiper icon indicating copy to clipboard operation
sshpiper copied to clipboard
verified publisher icon tg123

Alternative to forking `golang.org/x/crypto`

Open jpillor-macquarie opened this issue 1 year ago • 7 comments

Thanks for the great work with sshpiper :)

Sorry I posted here because https://github.com/tg123/sshpiper.crypto has issues disabled. This is just a suggestion, feel free to close. I understand that doing this essentially abandons efforts to get this merged upstream to golang.org/x/crypto.

Currently https://github.com/tg123/sshpiper.crypto forks golang.org/x/crypto. This means that we have to do a mod replace for all of golang.org/x/crypto and you potentially miss critical security updates.

As an alternative, sshpiper.crypto could instead be a go module with one package: ssh, which itself imports golang.org/x/crypto

Then users of sshpiper.crypto only import the ssh package; for everything else, they stick to golang.org/x/crypto.

I have done this to avoid the mod replace, I wrote myself a list to update sshpiper.crypto

  • Clone https://github.com/tg123/sshpiper.crypto into tmp
  • Copy tmp/ssh to ./ssh
  • Copy tmp/internal/poly1305 to ./ssh/internal
  • Copy tmp/ssh/internal/bcrypt_pbkdf to ./ssh/internal
  • Alias PublicKey and Signature to x/crypto/ssh to maintain type compatibility

jpillor-macquarie avatar Jan 31 '24 03:01 jpillor-macquarie

what i have to is watch upstream and update timely

i did not get how your solution works, could you please send a pr?

tg123 avatar Jan 31 '24 03:01 tg123

We had the same problem.

hexiaodai avatar Mar 08 '24 03:03 hexiaodai