migrate to crypton-x509 about stackage HOT 17 CLOSED

I don't maintainx509 anymore because I maintain crypton-*.

from stackage.

@juhp tls-1.7.0 seems to use crypton

from stackage.

Yeah could probably close this now

from stackage.

@mbg It's unfortunate, but the summary of it all is that Vincent doesn't want to pass on maintainership of the packages. The crypton packages are maintained by Kazu Yamamoto, and he already maintains a lot of notable packages, so you're probably already trusting him.

See

• yesodweb/wai#931 (comment) , which has comments from Kazu indicating that he couldn't take over the existing packages.
• This thread has a few more comments from Vincent: #7336 (comment)

Considering that cryptonite has bugs that are fixed in crypton, I think it's reasonable to switch. And it seems excessively conservative to stick with something just because it's what you're already depending on. There are open issues with cryptonite.

from stackage.

what

from stackage.

Thanks I updated the description

from stackage.

Was there anything bad with the old library name or what's the reason?

from stackage.

I haven't seen a broad announcement yet but yesodweb/wai#931 has some more context.

from stackage.

pushed amqp-utils-0.6.4.0 which uses crypton-connection and crypton-x509. Unfortunately there is to be waited for xtendo-org/rawfilepath#7 to be built cleanly.

from stackage.

aws-sns-verify-0.0.0.3 released: https://hackage.haskell.org/package/aws-sns-verify-0.0.0.3/dependencies

from stackage.

jose was fixed on Oct 31.

from stackage.

I don't think the crypton-x509 is so critical to upgrade to, given that Kazu Yamamoto has uploader rights to x509, as you can see on hackage. So I am not sure what this issue is tracking, since both of those packages can co-exist.

from stackage.

@ysangkok I'm pretty sure x509 is in the set of packages that Vincent has asked be abandoned. crypton-x509 is a replacement the same way crypton is. I doubt Kazu forked the repo/package just to keep updating the original. Getting everyone to switch ahead of time is a good proactive move.

I guess we can just ask @kazu-yamamoto directly if this is the right move.

from stackage.

The list of packages currently still depending on x509-*:

x509 (not present) depended on by:

• cryptostore-0.3.1.0 (>=1.7.5). Grandfathered dependencies. Used by: library
• jwt-0.11.0 (>=0). Brian McKenna [email protected] @puffnfresh. Used by: library
• wai-saml2-0.5 (< 2). Michael B. Gale [email protected] @mbg. Used by: library

x509-store (not present) depended on by:

• jwt-0.11.0 (>=0). Brian McKenna [email protected] @puffnfresh. Used by: library
• wai-saml2-0.5 (< 2). Michael B. Gale [email protected] @mbg. Used by: library

x509-validation (not present) depended on by:

• cryptostore-0.3.1.0 (>=1.5). Grandfathered dependencies. Used by: library

I'll make a PR and try to remove as many of them as possible

from stackage.

Closing, but note that we had to remove 2 additional packages that transitively depended on x509* packages (via jwt):

jwt (not present) depended on by:

• github-rest-1.1.4 (>=0.9 && < 0.12). Brandon Chinn [email protected] @brandonchinn178. Used by: library
• gmail-simple-0.1.0.6 (>=0). Daniel Casanueva [email protected] @Daniel-Diaz. Used by: library

from stackage.

it seems like crypton-x509's test suite is also depending on x509. i've made an issue:

• kazu-yamamoto/crypton-certificate#10

from stackage.

FWIW, I prepared a PR for wai-saml2 to change the dependencies back when I got tagged here, but I was hoping that more context than the issue linked to in this comment would be added here before merging that.

Perhaps I am out of the loop with what's going on in the Haskell world, but it seems a big ask to just change security critical dependencies without much of an explanation for why that needs to happen and why I should trust the replacements.

I followed through a few issues and came across haskell-infra/hackage-trustees#396 which doesn't seem to be resolved yet.

from stackage.