You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello! We recently finally deprecated x/crypto/openpgp (golang/go#44226), and once the deprecation notice goes out I expect a number of users will move to forks like yours, which is great!
To make that migration happen smoothly and safely, I was hoping you'd consider removing or unexporting the non-openpgp packages. Assuming my understanding is correct, github.com/keybase/go-crypto/openpgp is the only package that's meant to work differently in this fork, and the rest just reflect upstream.
If users put a replace statement in their go.mod for the whole x/crypto, they become blocked on your merges and releases to receive security fixes for any x/crypto package, like x/crypto/ssh or x/crypto/chacha20poly1305, which is unnecessary, a security risk, and toiling for your project.
Instead, users should be encouraged to require github.com/keybase/go-crypto and use github.com/keybase/go-crypto/openpgp, just like any third-party module.
Thank you!
The text was updated successfully, but these errors were encountered:
Hello! We recently finally deprecated x/crypto/openpgp (golang/go#44226), and once the deprecation notice goes out I expect a number of users will move to forks like yours, which is great!
To make that migration happen smoothly and safely, I was hoping you'd consider removing or unexporting the non-openpgp packages. Assuming my understanding is correct,
github.com/keybase/go-crypto/openpgpis the only package that's meant to work differently in this fork, and the rest just reflect upstream.If users put a
replacestatement in their go.mod for the whole x/crypto, they become blocked on your merges and releases to receive security fixes for any x/crypto package, like x/crypto/ssh or x/crypto/chacha20poly1305, which is unnecessary, a security risk, and toiling for your project.Instead, users should be encouraged to
require github.com/keybase/go-cryptoand usegithub.com/keybase/go-crypto/openpgp, just like any third-party module.Thank you!
The text was updated successfully, but these errors were encountered: