Hello! We recently finally deprecated x/crypto/openpgp (golang/go#44226), and once the deprecation notice goes out I expect a number of users will move to forks like yours, which is great!
To make that migration happen smoothly and safely, I was hoping you'd consider removing or unexporting the non-openpgp packages. Assuming my understanding is correct, github.com/keybase/go-crypto/openpgp is the only package that's meant to work differently in this fork, and the rest just reflect upstream.
If users put a replace statement in their go.mod for the whole x/crypto, they become blocked on your merges and releases to receive security fixes for any x/crypto package, like x/crypto/ssh or x/crypto/chacha20poly1305, which is unnecessary, a security risk, and toiling for your project.
Instead, users should be encouraged to require github.com/keybase/go-crypto and use github.com/keybase/go-crypto/openpgp, just like any third-party module.
Hello! We recently finally deprecated x/crypto/openpgp (golang/go#44226), and once the deprecation notice goes out I expect a number of users will move to forks like yours, which is great!
To make that migration happen smoothly and safely, I was hoping you'd consider removing or unexporting the non-openpgp packages. Assuming my understanding is correct,
github.com/keybase/go-crypto/openpgpis the only package that's meant to work differently in this fork, and the rest just reflect upstream.If users put a
replacestatement in their go.mod for the whole x/crypto, they become blocked on your merges and releases to receive security fixes for any x/crypto package, like x/crypto/ssh or x/crypto/chacha20poly1305, which is unnecessary, a security risk, and toiling for your project.Instead, users should be encouraged to
require github.com/keybase/go-cryptoand usegithub.com/keybase/go-crypto/openpgp, just like any third-party module.Thank you!