Alternative to forking golang.org/x/crypto

[jpillor-macquarie]

Thanks for the great work with sshpiper :)

Sorry I posted here because https://github.com/tg123/sshpiper.crypto has issues disabled. This is just a suggestion, feel free to close. I understand that doing this essentially abandons efforts to get this merged upstream to golang.org/x/crypto.

Currently https://github.com/tg123/sshpiper.crypto forks golang.org/x/crypto. This means that we have to do a mod replace for all of golang.org/x/crypto and you potentially miss critical security updates.

As an alternative, sshpiper.crypto could instead be a go module with one package: ssh, which itself imports golang.org/x/crypto

Then users of sshpiper.crypto only import the ssh package; for everything else, they stick to golang.org/x/crypto.

I have done this to avoid the mod replace, I wrote myself a list to update sshpiper.crypto

• Clone https://github.com/tg123/sshpiper.crypto into tmp
• Copy tmp/ssh to ./ssh
• Copy tmp/internal/poly1305 to ./ssh/internal
• Copy tmp/ssh/internal/bcrypt_pbkdf to ./ssh/internal
• Alias PublicKey and Signature to x/crypto/ssh to maintain type compatibility

[tg123]

what i have to is watch upstream and update timely

i did not get how your solution works, could you please send a pr?

[hexiaodai]

We had the same problem.