[tor-bugs] #33464 [Circumvention/Obfs4]: ed25519 has been removed by maintainer, breaking obfs4 builds and go gets
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Mar 12 16:55:00 UTC 2020
#33464: ed25519 has been removed by maintainer, breaking obfs4 builds and go gets
---------------------------------+--------------------------
Reporter: markness@… | Owner: phw
Type: defect | Status: assigned
Priority: Medium | Milestone:
Component: Circumvention/Obfs4 | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------------------+--------------------------
Old description:
> As of 2020-02-26 the maintainer of https://github.com/agl/ed25519/ has
> removed all their code, their releases, and everything to do with their
> ed25519 project.
>
> This means building projects that import that module, without having the
> module in an old go `vendor` directory fail.
>
> go get -v git.torproject.org/pluggable-transports/obfs4.git/obfs4proxy
> package github.com/agl/ed25519/extra25519: cannot find package
> "github.com/agl/ed25519/extra25519"
>
> As such this project cannot be built or included by anything that fetches
> it with `go get`
>
> I'm not sure if this library is imported anywhere else, but it certainly
> is used in obfs4
New description:
As of 2020-02-26 the maintainer of https://github.com/agl/ed25519/ has
removed all their code, their releases, and everything to do with their
ed25519 project.
This means building projects that import that module, without having the
module in an old go `vendor` directory fail.
{{{
go get -v git.torproject.org/pluggable-transports/obfs4.git/obfs4proxy
package github.com/agl/ed25519/extra25519: cannot find package
"github.com/agl/ed25519/extra25519"
}}}
As such this project cannot be built or included by anything that fetches
it with `go get`
I'm not sure if this library is imported anywhere else, but it certainly
is used in obfs4
--
Comment (by dcf):
markness, what version of go are you using? (Run `go version`.)
Current versions of go using [https://github.com/golang/go/wiki/Modules
go.mod] should be able to access the older commit where extra25519 is
still available. github.com/agl/ed25519 hasn't been completely deleted,
only deprecated, and all the code is still present in commit
[https://github.com/agl/ed25519/tree/5312a61534124124185d41f09206b9fef1d88403
5312a6153412] which is what
[https://gitlab.com/yawning/obfs4/-/blob/c357dd56dfa63add9eca7ed9d7de11c69c2a66f1/go.mod
obfs4's go.mod] specifies:
{{{
require(
github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412
)
}}}
I can imagine this would cause problems with the Tor Browser nightly
build, which ignores go.mod and uses master of most dependencies, but I
haven't heard of any problems there yet.
BTW the upstream of obfs4 is gitlab.com/yawning/obfs4, not
git.torproject.org/pluggable-transports/obfs4.git.
So putting aside the possible implementation issues in comment:1, it
should still be possible to build obfs4. With an older version of go, you
can probably do
{{{
go get github.com/agl/ed25519
cd $GOPATH/src/github.com/agl/ed25519
git reset --hard 5312a6153412
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33464#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list