Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

migrate to crypton-x509 #6998

Closed
17 of 23 tasks
juhp opened this issue Jun 8, 2023 · 17 comments · Fixed by #7431
Closed
17 of 23 tasks

migrate to crypton-x509 #6998

juhp opened this issue Jun 8, 2023 · 17 comments · Fixed by #7431
Labels
grandfathered

Comments

@juhp
Copy link
Contributor

juhp commented Jun 8, 2023
edited by alaendle
Loading

crypton-x509* is replacing the x509* libraries.

Note the x509* library are still in Stackage Nightly at this time - this is a first heads-up

x509 (Grandfathered dependencies) (not present) depended on by:

x509-store (Grandfathered dependencies) (not present) depended on by:

x509-system (Grandfathered dependencies) (not present) depended on by:

x509-validation (Grandfathered dependencies) (not present) depended on by:

Please migrate your packages to crypton-x509*
@phadej
Copy link
Contributor

phadej commented Jun 8, 2023

@juhp tls-1.7.0 seems to use crypton

@l29ah
Copy link
Contributor

l29ah commented Jun 8, 2023

what

@juhp
Copy link
Contributor Author

juhp commented Jun 8, 2023

Thanks I updated the description

@l29ah
Copy link
Contributor

l29ah commented Jun 8, 2023

Was there anything bad with the old library name or what's the reason?

@juhp
Copy link
Contributor Author

juhp commented Jun 8, 2023

I haven't seen a broad announcement yet but yesodweb/wai#931 has some more context.

@juhp juhp mentioned this issue Jun 8, 2023
Closed
21 tasks
@mbg mbg mentioned this issue Jun 18, 2023
Merged
1 task
@pbrisbin pbrisbin mentioned this issue Jun 24, 2023
Closed
@woffs
Copy link
Contributor

woffs commented Jul 20, 2023

pushed amqp-utils-0.6.4.0 which uses crypton-connection and crypton-x509. Unfortunately there is to be waited for xtendo-org/rawfilepath#7 to be built cleanly.

@pbrisbin pbrisbin mentioned this issue Jul 26, 2023
Merged
@pbrisbin
Copy link
Contributor

aws-sns-verify-0.0.0.3 released: https://hackage.haskell.org/package/aws-sns-verify-0.0.0.3/dependencies

@ysangkok
Copy link
Contributor

jose was fixed on Oct 31.

@ysangkok
Copy link
Contributor

I don't think the crypton-x509 is so critical to upgrade to, given that Kazu Yamamoto has uploader rights to x509, as you can see on hackage. So I am not sure what this issue is tracking, since both of those packages can co-exist.

@chreekat
Copy link
Member

chreekat commented May 15, 2024
edited
Loading

@ysangkok I'm pretty sure x509 is in the set of packages that Vincent has asked be abandoned. crypton-x509 is a replacement the same way crypton is. I doubt Kazu forked the repo/package just to keep updating the original. Getting everyone to switch ahead of time is a good proactive move.

I guess we can just ask @kazu-yamamoto directly if this is the right move.

@kazu-yamamoto
Copy link

I don't maintainx509 anymore because I maintain crypton-*.

@juhp
Copy link
Contributor Author

juhp commented May 16, 2024

Yeah could probably close this now

@mihaimaruseac
Copy link
Contributor

The list of packages currently still depending on x509-*:

x509 (not present) depended on by:

x509-store (not present) depended on by:

x509-validation (not present) depended on by:

  • cryptostore-0.3.1.0 (>=1.5). Grandfathered dependencies. Used by: library

I'll make a PR and try to remove as many of them as possible

@mihaimaruseac mihaimaruseac mentioned this issue May 26, 2024
Merged
@mihaimaruseac
Copy link
Contributor

Closing, but note that we had to remove 2 additional packages that transitively depended on x509* packages (via jwt):

jwt (not present) depended on by:

@ysangkok
Copy link
Contributor

it seems like crypton-x509's test suite is also depending on x509. i've made an issue:

@mbg
Copy link
Contributor

mbg commented May 30, 2024

FWIW, I prepared a PR for wai-saml2 to change the dependencies back when I got tagged here, but I was hoping that more context than the issue linked to in this comment would be added here before merging that.

Perhaps I am out of the loop with what's going on in the Haskell world, but it seems a big ask to just change security critical dependencies without much of an explanation for why that needs to happen and why I should trust the replacements.

I followed through a few issues and came across haskell-infra/hackage-trustees#396 which doesn't seem to be resolved yet.

@ysangkok
Copy link
Contributor

ysangkok commented Jun 2, 2024
edited
Loading

@mbg It's unfortunate, but the summary of it all is that Vincent doesn't want to pass on maintainership of the packages. The crypton packages are maintained by Kazu Yamamoto, and he already maintains a lot of notable packages, so you're probably already trusting him.

See

Considering that cryptonite has bugs that are fixed in crypton, I think it's reasonable to switch. And it seems excessively conservative to stick with something just because it's what you're already depending on. There are open issues with cryptonite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
grandfathered
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove x509* packages commercialhaskell/stackage