util: password: Fix suspicious dep issue

It seems that without warning, the author of this dep has nuked the old version, and reorganized the source tree significantly. I'm not an expert and cryptography routines, but this doesn't make me feel warm inside. I hope more expert researchers could look into this so that we avoid supply chain attacks.
2024-07-07 12:47:14 -04:00
parent aa03b5ce2f
commit 74f747e80b
3 changed files with 8 additions and 4 deletions
--- a/util/password/password.go
+++ b/util/password/password.go
@@ -27,6 +27,10 @@
 // additional permission if he deems it necessary to achieve the goals of this
 // additional permission.

+// Package password has some utility functions for dealing with misc passwords.
+// XXX: Please note, the "github.com/tredoe/osutil/user/crypt/sha512_crypt"
+// dependency is slightly suspicious and we should investigate it further to
+// make sure there are no supply chain issues with it.
 package password

 import (
@@ -41,7 +45,7 @@ import (
 	"syscall"
 	"time"

-	sha512Crypt "github.com/tredoe/osutil/v2/userutil/crypt/sha512_crypt"
+	sha512Crypt "github.com/tredoe/osutil/user/crypt/sha512_crypt"
 	"golang.org/x/sys/unix"
 )