Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/openpgp: mark as frozen and deprecated #44226

Closed
FiloSottile opened this issue Feb 11, 2021 · 5 comments
Closed

x/crypto/openpgp: mark as frozen and deprecated #44226

FiloSottile opened this issue Feb 11, 2021 · 5 comments
Labels
FrozenDueToAge Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone

Comments

@FiloSottile
Copy link
Contributor

FiloSottile commented Feb 11, 2021

March 2021 Update

This proposal was accepted and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If you find a security issue, please email security@golang.org.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, Tink for various cryptographic tools, or filippo.io/age for encryption (the latter two are not maintained by the Go team). You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering a maintained community fork of golang.org/x/crypto/openpgp. We don't endorse any specific one.


Intent

This is a proposal to freeze and deprecate but not remove the golang.org/x/crypto/openpgp package, providing only security patches going forward. Open issues and CLs would be triaged, fixed if they are security issues, and closed otherwise.

Summary

The golang.org/x/crypto/openpgp package is effectively unmaintained.

Maintaining it would require significant effort, which would not be the best use of our team's resources, and a community maintainer has not materialized.

Not communicating this clearly to users is making them a disservice, and stifling the opportunity for the community to converge on a third-party fork.

Details

OpenPGP is not something we want Go developers to use. OpenPGP is incompatible with https://golang.org/design/cryptography-principles, it's complex, fragile, and unsafe, and using it exposes applications to a dangerous ecosystem. (Just the other day there was an exploitable heap overflow in GnuPG.) Oceans of ink have been spilled about this, and a debate about the qualities of PGP wouldn't be productive for anyone, so let's keep it off topic, except to the extent that it informs team resource allocation.

Maintaining x/crypto/openpgp would require a disproportionate amount of resources. x/crypto/openpgp is the crypto package with the most open CLs, and only crypto/tls, crypto/x509, and x/crypto/ssh have a similar number of open issues. These are all packages that implement old, complex, evolving protocols with significant ecosystem complexities. crypto/tls and crypto/x509 are used by most Go applications, and x/crypto/ssh powers the DevOps ecosystem. OpenPGP doesn't deserve the same amount of resources.

image

A community maintainer did not materialize. In #30141 we decided to look for a maintainer for x/crypto/openpgp in the community. There was some discussion on golang-openpgp@googlegroups.com, but such a maintainer has not materialized. This might be partially due to not providing enough support to onboard a new maintainer, but that requires resources too, and is an investment that for obvious reasons can't be guaranteed to pay off: maintainers are free to move on and step down, at which point we'd have to start over.

There is an expectation of quality for x/crypto packages. The community has an expectation of quality for the packages provided by the Go team. x/crypto/openpgp in its current state, with its 42 open issues, simply doesn't meet that bar, and it would be a lot of work (in terms of design, review, and implementation) to get it there.

The x/crypto/openpgp API has issues. There are issues like #22312 (and probably others judging from the CLs) that would be better fixed with a new API revision. x/crypto is not going to v2 just for x/crypto/openpgp, so an API revision is more likely to happen in a third-party package.

Forks abound. Every major player that actually relies on OpenPGP and Go maintains a fork (https://github.com/keybase/go-crypto, https://github.com/ProtonMail/go-crypto, ...). Developers would be better served by finding those, and by centralizing efforts onto one, without blocking on the resource limits of the Go team. Moreover, these forks regrettably fork the whole x/crypto module, presumably to be usable as a replace in applications that import x/crypto/openpgp. This is a problem because it slows down fixes that land in other packages of x/crypto. If we let x/crypto/openpgp go, the fork(s) can hopefully eventually become a normal module that provides just the openpgp package.

@FiloSottile FiloSottile added the Proposal-Crypto Proposal related to crypto packages or other security issues label Feb 11, 2021
@gopherbot gopherbot added this to the Proposal milestone Feb 11, 2021
@rsc
Copy link
Contributor

rsc commented Feb 24, 2021

I think I was one of the people arguing most for letting the community work on x/crypto/openpgp, but since no one has stepped forward, deprecating and freezing it seems like it makes sense.

And the openpgp ecosystem has lost even more traction since two years ago (when we discussed the previous proposal).

@rsc
Copy link
Contributor

rsc commented Feb 24, 2021

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc
Copy link
Contributor

rsc commented Mar 10, 2021

Based on the discussion above, this proposal seems like a likely accept.
— rsc for the proposal review group

@rsc
Copy link
Contributor

rsc commented Mar 24, 2021

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

vicamo added a commit to vicamo/aptly that referenced this issue Jan 28, 2022
Internal openpgp implementation without gpg1 installed now fails due to
golang/go#29082, and that's unlikely going to
be addressed ever, because x/crypto/openpgp has been deprecated as
stated in golang/go#44226. While aptly can
still be used on legacy environments, marking the dependency inbetween
and declare the obsolete status instead.

Signed-off-by: You-Sheng Yang <vicamo@gmail.com>
massar added a commit to tridentli/tools that referenced this issue May 11, 2022
Deprecated instead of just breaking the API so one notices that it is known
broken... golang/go#44226
KeisukeYamashita pushed a commit to kerraform/kegistry that referenced this issue Jul 23, 2022
…to/openpgp

It's deprecated. See golang/go#44226

Signed-off-by: KeisukeYamashita <keisuke.yamashita@linecorp.com>
@rsc rsc moved this to Accepted in Proposals Aug 10, 2022
@rsc rsc added this to Proposals Aug 10, 2022
@golang golang locked and limited conversation to collaborators Aug 12, 2022
@rsc rsc removed this from Proposals Oct 19, 2022
LewiGoddard pushed a commit to LewiGoddard/crypto that referenced this issue Feb 16, 2023
Finally.

Fixes golang/go#44226

Change-Id: I73de5a49357f8891afef9094ab497f389b899943
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/341549
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
Finally.

Fixes golang/go#44226

Change-Id: I73de5a49357f8891afef9094ab497f389b899943
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/341549
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
None yet
Development

No branches or pull requests

3 participants