Gopass: x/crypto/openpgp might get deprecated

Created on 14 Feb 2019 · 8Comments · Source: gopasspw/gopass

Summary

It seems the Go team is considering deprecating the openpgp package from its x/crypto repository, as per this proposal:

openpgp/
* the protocol predates modern cryptography engineering, which is still causing severe vulnerabilities, and any new project should rely on alternative modern solutions
* the ecosystem never solved its major UX and key management issues
* most importantly, this implementation is aging and incomplete because the specification is sprawling and there is no common subset to target; apparently everyone who's relying on it made their own fork to add features or fix issues, which is a much worse outcome than not having a golang.org/x/crypto package at all

It would then mean that we should use either a community fork, or switch to some other OpenPGP package.

What's your take on this? It would be a shame to fall back to using only the GPGCli, IMO.

Source

AnomalRoil

👍3

Most helpful comment

We already implement a working alternative to GPG, but there are still some small useability issues which we never got to address so far. That's why we didn't push that any further. Also it would break compatibility with vanilla pass.

But feel free to try it out contribute if you want.

The custom agent is still a bit buggy and of course the crypto implementation could use some scrutiny.

dominikschulz on 16 Feb 2019

👍3

All 8 comments

Sorry for jumping in the discussion here.

As an user of gopass, I think this will really be a shame.

claucece on 14 Feb 2019

Yes, that's very sad indeed.

I can't argue with the reasoning of this proposal, but for our use case (i.e. compatibility with an existing tool) it's very annoying.

Thanks for making me aware of this fact, but I doubt I can do anything about it.

dominikschulz on 15 Feb 2019

👍1

I love gopass and personally for me I couldn't care less for the compatibility with pass (although I did use it in the past and that's how I found out about gopass).

I would guess there are at least a bunch of other users just like me for whom using a different underlying crypto library (like the ones suggested in this article) wouldn't make much of a difference.

But I understand that different users have different needs and this seems like a big decision that needs to cater for all the use cases.

vially on 15 Feb 2019

But feel free to try it out contribute if you want.

The custom agent is still a bit buggy and of course the crypto implementation could use some scrutiny.

dominikschulz on 16 Feb 2019

👍3

OpenPGP support seems to be essential for using gopass with a Yubikey. According to the discussion there seem to be quite a few people willing to maintain this library. I think it would absolutely be worthwhile to keep OpenPGP support around.
I'm also a bit confused why FiloSottile would bring up EFAIL as an example for a "severe" OpenPGP vulnerability as it doesn't have anything to do with OpenPGP itself.

droseger on 20 Feb 2019

It seems that there is people like bradfitz (on the current last comment) willing to maintain a repository with OpenGPG in golang. That will be an alternative :)

claucece on 22 Feb 2019

It looks like at the end it was not deprecated. It maybe will start to get maintained: https://groups.google.com/group/golang-openpgp .

claucece on 24 Feb 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.