Transitive dependency (cloudflare/circl) making cross compiling difficult

[pfiaux]

I'm running into a slightly obscure build problem. Using bazel (and gazelle and rules_go) to build go-github worked fine with v50 both for arm64 and amd64. I recently tried to bump to v55 and found myself unable to build for amd64 via bazel.

I found that the transitive dependency github.com/cloudflare/circl was bumped from v1.1.0 to v1.3.3 after v52 of go-github. It seems used by github.com/ProtonMail/go-crypto.

The problem is that it includes some platform specific files (*_amd64.go) for some packages, and some headers and some assembly.

Unfortunately led to some issues trying to build via bazel with dependencies not detected:

external/com_github_cloudflare_circl/dh/x25519/curve_amd64.s:7: #include: open external/com_github_cloudflare_circl/math/fp25519/fp_amd64.h: no such file or directory

Quickly playing with GOARCH=amd64 it seems to work fine with go build so I suspect it's not actually a problem but more of a side effect of bazel trying to compile a bit too much of some of the libraries used transitively.

Since CGO usually raises the bar for compiling I thought I would mention that it might not be ideal that github.com/ProtonMail/go-crypto uses github.com/cloudflare/circl:

• Depending on the architecture it might need CGO for some packages
• https://github.com/cloudflare/circl claims to aim to be an experimental lib which might maybe not ideal to depend on transitively

  The goal of this library is to be used as a tool for experimental deployment of cryptographic algorithms targeting Post-Quantum (PQ) and Elliptic Curve Cryptography (ECC)

Is there an alternative to github.com/ProtonMail/go-crypto that would avoid this?

[gmlewis]

Triage info:

• Original issue: golang.org/x/crypto/openpgp is deprecated #2317
• Original deprecation: x/crypto/openpgp: mark as frozen and deprecated golang/go#44226
• Related PR: Move to Protonmail PGP #2666

Still investigating...

[gmlewis]

I'm wondering if you might get more traction by posting an issue here: https://github.com/ProtonMail/go-crypto/issues ?
Maybe one of their users has already encountered this and has a workaround?

[WillAbides]

If there is an appetite to change the API, we could replace Commit.SigningKey with a single-method interface or a Sign func that looks like:

Sign func(w io.Writer, r io.Reader) error

Then go-github wouldn't need to depend on any openpgp implementation.

Devs who want to sign commits would need to do something like:

c.Sign = func(w io.Writer, r io.Reader) error {
	return openpgp.ArmoredDetachSign(w, myKey, r, nil)
}

That's a little bit worse than the current experience, but not terrible.

[gmlewis]

I'm totally fine with that, as ProtonMail seems to me like a rather unusual dependency for this repo anyway.

@cablehead - @hungle92 - @exageraldo - @komod0 - do you have opinions since you were all involved in the issues linked above?

[gmlewis]

Thank you, @exageraldo - moving forward with #2935 hearing no objections.