Closed lsm5 closed 6 months ago
There seems to be 2 paths forward here. Replacing the PGP library or replacing/deprecating PGP functionality.
The later probably will not be the case in the immediate timeline, since there are still use cases around it.
The issue seems to indicate that there are forks of this which different groups maintain, but will only get trickle down security patches. I am not familiar with either of the recommended repos. If there's a clear winner among these options, I think it would make sense to choose one, if not, I think we can leave it to the user to choose which one they want with the go.mod replace directive.
Do you have any thoughts on these libraries?
Speaking with Podman in mind, we do depend indirectly on crypto/ed25519
already, though I think it's unlikely to serve as a full replacement. Speaking of forks, I only noticed indirect usage of ProtonMail/go-crypto
(if any) in Podman.
I'll defer to @mtrmac .
/cc @vrothberg @rhatdan
I don't think we will need new or more openpgp functionality and for as long as x/crypto/openpgp exists, we can just keep using.
I came across https://github.com/golang/go/issues/44226 saying openpgp is marked frozen and deprecated, except for security fixes. Just curious if there are plans to replace it in this repo.