Alternative to forking `golang.org/x/crypto`

[jpillor-macquarie]

Thanks for the great work with sshpiper :)

Sorry I posted here because https://github.com/tg123/sshpiper.crypto has issues disabled. This is just a suggestion, feel free to close. I understand that doing this essentially abandons efforts to get this merged upstream to golang.org/x/crypto.

Currently https://github.com/tg123/sshpiper.crypto forks golang.org/x/crypto. This means that we have to do a mod replace for all of golang.org/x/crypto and you potentially miss critical security updates.

As an alternative, sshpiper.crypto could instead be a go module with one package: ssh, which itself imports golang.org/x/crypto

Then users of sshpiper.crypto only import the ssh package; for everything else, they stick to golang.org/x/crypto.

I have done this to avoid the mod replace, I wrote myself a list to update sshpiper.crypto

• Clone https://github.com/tg123/sshpiper.crypto into tmp
• Copy tmp/ssh to ./ssh
• Copy tmp/internal/poly1305 to ./ssh/internal
• Copy tmp/ssh/internal/bcrypt_pbkdf to ./ssh/internal
• Alias PublicKey and Signature to x/crypto/ssh to maintain type compatibility

[tg123]

what i have to is watch upstream and update timely

i did not get how your solution works, could you please send a pr?

[hexiaodai]

We had the same problem.

[josharian]

I hit a variant of this problem. I'm trying to write a plugin that runs as part of a larger service, which cannot (for several reasons) import the custom x/crypto. As a result:

../../pkg/mod/github.com/tg123/sshpiper@v1.4.8/libplugin/util.go:159:37: undefined: knownhosts.NewFromReader

This feels a bit silly, because the gRPC plugin shouldn't require any custom crypto code at all.

[josharian]

Would you accept a PR that vendors package knownhosts into sshpiper, thereby breaking plugin dependencies on sshpiper.crypto? It's not much code and it changes very infrequently.

(Another fix would be to extract skel from package libplugin into its own package, but that would be a breaking API change, which I'm guessing you'd prefer to avoid.)

[tg123]

i am happy if you can send a PR to isolate plugin from sshpiperd and make plugin customized code independent
but i remember just moving knownhosts out is not enough

first, moving knownhosts from crypto to sshpiperd is a good start

[tg123]

i quickly revisit code, seems the request is to make libplugin get rid of hacked crypto, so it would be much easier to create 3p plugin. so moving skel out is also good to me.

i was thinking adding custom cypto is not a big deal, so left too much junk in it

[josharian]

great, i'll move skel out into its own package.