Open FiloSottile opened 7 months ago
This proposal has been added to the active column of the proposals project and will now be reviewed at the weekly proposal review meetings. — rsc for the proposal review group
Have all remaining concerns about this proposal been addressed?
Mark as Deprecated:
golang.org/x/crypto/salsa20/salsa: should have been an internal package, exposes low-level components of Salsa20, it has 662 importers, but that number is deceptive: all the ones I sampled are golang.org/x/crypto forks, or a shadowsocks implementation that should have used salsa20.XORKeyStream instead
golang.org/x/crypto/ssh/test: should also have been internal, or really a _test.go
file, it exposes some test keys, zero importers
Mark as Frozen:
golang.org/x/crypto/curve25519 and golang.org/x/crypto/ed25519: wrappers for crypto/ecdh and crypto/ed25519 respectively
golang.org/x/crypto/nacl/auth and golang.org/x/crypto/nacl/sign: mostly unused NaCl APIs (21 and 73 importers), they are essentially wrappers around crypto/hmac and crypto/ed25519 respectively
golang.org/x/crypto/otr: implements a deprecated version of OTR, basically unused (15 importers)
golang.org/x/crypto/xts: implements a mode that should be only used for disk encryption and under duress, increasingly replaced by filesystem-level encryption, basically unused (10 importers)
Based on the discussion above, this proposal seems like a likely accept. — rsc for the proposal review group
Mark as Deprecated:
golang.org/x/crypto/salsa20/salsa: should have been an internal package, exposes low-level components of Salsa20, it has 662 importers, but that number is deceptive: all the ones I sampled are golang.org/x/crypto forks, or a shadowsocks implementation that should have used salsa20.XORKeyStream instead
golang.org/x/crypto/ssh/test: should also have been internal, or really a _test.go
file, it exposes some test keys, zero importers
Mark as Frozen:
golang.org/x/crypto/curve25519 and golang.org/x/crypto/ed25519: wrappers for crypto/ecdh and crypto/ed25519 respectively
golang.org/x/crypto/nacl/auth and golang.org/x/crypto/nacl/sign: mostly unused NaCl APIs (21 and 73 importers), they are essentially wrappers around crypto/hmac and crypto/ed25519 respectively
golang.org/x/crypto/otr: implements a deprecated version of OTR, basically unused (15 importers)
golang.org/x/crypto/xts: implements a mode that should be only used for disk encryption and under duress, increasingly replaced by filesystem-level encryption, basically unused (10 importers)
No change in consensus, so accepted. 🎉 This issue now tracks the work of implementing the proposal. — rsc for the proposal review group
Mark as Deprecated:
golang.org/x/crypto/salsa20/salsa: should have been an internal package, exposes low-level components of Salsa20, it has 662 importers, but that number is deceptive: all the ones I sampled are golang.org/x/crypto forks, or a shadowsocks implementation that should have used salsa20.XORKeyStream instead
golang.org/x/crypto/ssh/test: should also have been internal, or really a _test.go
file, it exposes some test keys, zero importers
Mark as Frozen:
golang.org/x/crypto/curve25519 and golang.org/x/crypto/ed25519: wrappers for crypto/ecdh and crypto/ed25519 respectively
golang.org/x/crypto/nacl/auth and golang.org/x/crypto/nacl/sign: mostly unused NaCl APIs (21 and 73 importers), they are essentially wrappers around crypto/hmac and crypto/ed25519 respectively
golang.org/x/crypto/otr: implements a deprecated version of OTR, basically unused (15 importers)
golang.org/x/crypto/xts: implements a mode that should be only used for disk encryption and under duress, increasingly replaced by filesystem-level encryption, basically unused (10 importers)
( @FiloSottile Please edit the proposal to add links to the documentation of each package like [golang.org/x/crypto/ssh/test](https://pkg.go.dev/golang.org/x/crypto/ssh/test)
)
Over the years we did some significant cleanups of x/crypto packages (#30141, #31044, #36646, #44226).
I propose we do one last round, marking as Deprecated
golang.org/x/crypto/salsa20/salsa: should have been an internal package, exposes low-level components of Salsa20, it has 662 importers, but that number is deceptive: all the ones I sampled are golang.org/x/crypto forks, or a shadowsocks implementation that should have used salsa20.XORKeyStream instead
golang.org/x/crypto/ssh/test: should also have been internal, or really a
_test.go
file, it exposes some test keys, zero importersand marking as Frozen
golang.org/x/crypto/curve25519 and golang.org/x/crypto/ed25519: wrappers for crypto/ecdh and crypto/ed25519 respectively
golang.org/x/crypto/nacl/auth and golang.org/x/crypto/nacl/sign: mostly unused NaCl APIs (21 and 73 importers), they are essentially wrappers around crypto/hmac and crypto/ed25519 respectively
golang.org/x/crypto/otr: implements a deprecated version of OTR, basically unused (15 importers)
golang.org/x/crypto/xts: implements a mode that should be only used for disk encryption and under duress, increasingly replaced by filesystem-level encryption, basically unused (10 importers)
This leaves a pretty healthy list of non-Deprecated non-Frozen packages, which would be suitable for moving into the stdlib (ignoring x509roots for a moment since it's a special snowflake).
/cc @golang/security
Packages summary