Comments (17)
I don't maintainx509
anymore because I maintain crypton-*
.
from stackage.
@juhp tls-1.7.0
seems to use crypton
from stackage.
Yeah could probably close this now
from stackage.
@mbg It's unfortunate, but the summary of it all is that Vincent doesn't want to pass on maintainership of the packages. The crypton packages are maintained by Kazu Yamamoto, and he already maintains a lot of notable packages, so you're probably already trusting him.
See
- yesodweb/wai#931 (comment) , which has comments from Kazu indicating that he couldn't take over the existing packages.
- This thread has a few more comments from Vincent: #7336 (comment)
Considering that cryptonite has bugs that are fixed in crypton, I think it's reasonable to switch. And it seems excessively conservative to stick with something just because it's what you're already depending on. There are open issues with cryptonite.
from stackage.
what
from stackage.
Thanks I updated the description
from stackage.
Was there anything bad with the old library name or what's the reason?
from stackage.
I haven't seen a broad announcement yet but yesodweb/wai#931 has some more context.
from stackage.
pushed amqp-utils-0.6.4.0 which uses crypton-connection and crypton-x509. Unfortunately there is to be waited for xtendo-org/rawfilepath#7 to be built cleanly.
from stackage.
aws-sns-verify-0.0.0.3 released: https://hackage.haskell.org/package/aws-sns-verify-0.0.0.3/dependencies
from stackage.
from stackage.
I don't think the crypton-x509 is so critical to upgrade to, given that Kazu Yamamoto has uploader rights to x509, as you can see on hackage. So I am not sure what this issue is tracking, since both of those packages can co-exist.
from stackage.
@ysangkok I'm pretty sure x509 is in the set of packages that Vincent has asked be abandoned. crypton-x509 is a replacement the same way crypton is. I doubt Kazu forked the repo/package just to keep updating the original. Getting everyone to switch ahead of time is a good proactive move.
I guess we can just ask @kazu-yamamoto directly if this is the right move.
from stackage.
The list of packages currently still depending on x509-*
:
x509 (not present) depended on by:
- cryptostore-0.3.1.0 (>=1.7.5). Grandfathered dependencies. Used by: library
- jwt-0.11.0 (>=0). Brian McKenna [email protected] @puffnfresh. Used by: library
- wai-saml2-0.5 (< 2). Michael B. Gale [email protected] @mbg. Used by: library
x509-store (not present) depended on by:
- jwt-0.11.0 (>=0). Brian McKenna [email protected] @puffnfresh. Used by: library
- wai-saml2-0.5 (< 2). Michael B. Gale [email protected] @mbg. Used by: library
x509-validation (not present) depended on by:
- cryptostore-0.3.1.0 (>=1.5). Grandfathered dependencies. Used by: library
I'll make a PR and try to remove as many of them as possible
from stackage.
Closing, but note that we had to remove 2 additional packages that transitively depended on x509*
packages (via jwt
):
jwt (not present) depended on by:
- github-rest-1.1.4 (>=0.9 && < 0.12). Brandon Chinn [email protected] @brandonchinn178. Used by: library
- gmail-simple-0.1.0.6 (>=0). Daniel Casanueva [email protected] @Daniel-Diaz. Used by: library
from stackage.
it seems like crypton-x509's test suite is also depending on x509. i've made an issue:
from stackage.
FWIW, I prepared a PR for wai-saml2
to change the dependencies back when I got tagged here, but I was hoping that more context than the issue linked to in this comment would be added here before merging that.
Perhaps I am out of the loop with what's going on in the Haskell world, but it seems a big ask to just change security critical dependencies without much of an explanation for why that needs to happen and why I should trust the replacements.
I followed through a few issues and came across haskell-infra/hackage-trustees#396 which doesn't seem to be resolved yet.
from stackage.
Related Issues (20)
- exon-1.7.0.0 HOT 1
- type-level-show vs rerefined HOT 2
- hledger-iadd and hledger-interest HOT 2
- network-run-0.3.0 HOT 1
- attoparsec-framer 0.1.0.5 HOT 1
- http2 5.2.3 HOT 2
- fourmolu 0.16.0.0
- tensort 0.2.0.2 HOT 2
- github-rest 1.1.4 HOT 1
- req 3.13.3
- json-spec-openapi 0.3.1.0
- text-builder-dev 0.3.4.3 HOT 1
- `Cabal`, a GHC boot package, has been included in `nightly` snapshots - in error?
- tasty 1.5.1
- tasty-quickcheck 0.11 HOT 3
- hashable: disable new `arch-native` flag HOT 2
- Skipping the GHC 9.8 LTS / GHC 9.10 Nightly HOT 3
- hasql 1.8 HOT 1
- tls-2.1 is out of bounds for keter, mysql-haskell, and pandoc
- presumed related test suite failures
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stackage.