enhancement(5039): bump up go version to 1.24, replace pbkdf2 with stdlib pbkdf2#291
enhancement(5039): bump up go version to 1.24, replace pbkdf2 with stdlib pbkdf2#291kaanyalti wants to merge 1 commit into
Conversation
kaanyalti
requested review from
faec and
khushijain21
and removed request for
a team
| module github.com/elastic/elastic-agent-libs | ||
|
|
||
| go 1.22.12 | ||
| go 1.24 |
There was a problem hiding this comment.
go 1.23 is still supported, we can't drop it
There was a problem hiding this comment.
If we still need to support go.1.23 here then we won't be able to move from golang.org/x/crypto/pbkdf2 to the stdlib crypto implementations.
@kaanyalti @kruskall I wonder why the keystore even shows up as an issue in the downstream dependencies since it was excluded when in fips mode.
There was a problem hiding this comment.
We should refrain from updating the minimum Go version in libs until the respective update for Beats/Agent is well underway. Sometimes, we have important fixes in libs that need to be backported to Beats/Agent. If we update this too soon, we risk soft-locking ourselves out of those important changes.
That said, if we first update Beats/Agent to 1.24 and it goes well, I see no reason why we cannot make the move to update libs too.
There was a problem hiding this comment.
If we still need to support go.1.23 here then we won't be able to move from golang.org/x/crypto/pbkdf2 to the stdlib crypto implementations.
we can use x/crypto for go <1.24 and stdlib for go >=1.24. See #289
I wonder why the keystore even shows up as an issue in the downstream dependencies since it was excluded when in fips mode.
If the package is imported then it is linked in the final binary (especially with DCE disabled). It's one of the reason the kerberos library was excluded in a way that avoided importing the package.
That said, if we first update Beats/Agent to 1.24 and it goes well, I see no reason why we cannot make the move to update libs too.
I'm not sure I agree :(
This is a library and it's not only used by beats/agent. The policy has usually been to support all the supported versions of go in libraries (currently 1.23 and 1.24)
There was a problem hiding this comment.
This is a library and it's not only used by beats/agent. The policy has usually been to support all the supported versions of go in libraries (currently 1.23 and 1.24)
Fair point, agree with you on this.
💔 Build Failed
Failed CI StepsHistory |
|
I believe this is superseded and fixed by #289 |
|
Thank you all for the input, closing this PR as it is not needed |
5 participants
What does this PR do?
Bumps up the go version to 1.24 and replaces x/crypto/pbkdf2 with stdlib pbkdf2.
Why is it important?
We are moving away from using x/crypto to be fips compliant
Checklist
[ ] I have commented my code, particularly in hard-to-understand areas[ ] I have added tests that prove my fix is effective or that my feature worksRelated issues