search

FiloSottile / age

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
https://age-encryption.org
BSD 3-Clause "New" or "Revised" License
15.79k stars 477 forks source link

go.mod: Bump dependencies #400

Closed mrueg closed 2 years ago

mrueg commented 2 years ago

Since age imports golang.org/x/crypto/ssh, requesting to update deps because of https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083 (not sure if this is exploitable with age, so more applying best practices here)

FiloSottile commented 2 years ago

Vulnerabilities in the SSH protocol implementation definitely don't impact age. We just parse SSH keys.

I disagree that it's a best practice to cause churn in downstream projects with vulnerability false positives. They reduce the amount of attention that projects can dedicate to actually assessing if a vulnerability affected users.

For example, you'd want a vulnerability that actually affected age to be handled by producing an announcement about whether users need to re-encrypt affected files rather than silently updating the go.mod and moving on.

This is why govulncheck (what will hopefully become go audit) does static analysis to rule out this sort of false positive.

mrueg commented 2 years ago

Thanks for the quick response. I can see your point here. Unfortunately lots of the existing vulnerability scanners are not sophisticated enough yet to detect if it's exploitable or not. Thanks also for mentioning govulncheck that sounds really interesting!