util: password: Fix suspicious dep issue

It seems that without warning, the author of this dep has nuked the old version, and reorganized the source tree significantly. I'm not an expert and cryptography routines, but this doesn't make me feel warm inside. I hope more expert researchers could look into this so that we avoid supply chain attacks.
2024-07-07 12:47:14 -04:00
parent aa03b5ce2f
commit 74f747e80b
3 changed files with 8 additions and 4 deletions
--- a/go.mod
+++ b/go.mod
@@ -31,7 +31,6 @@ require (
 	github.com/prometheus/client_golang v1.19.0
 	github.com/sanity-io/litter v1.5.5
 	github.com/spf13/afero v1.11.0
-	github.com/tredoe/osutil/v2 v2.0.0-rc.16
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	github.com/yalue/merged_fs v1.3.0
 	go.etcd.io/etcd/api/v3 v3.5.13
@@ -128,6 +127,7 @@ require (
 	github.com/spf13/cobra v1.8.0 // indirect
 	github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect
+	github.com/tredoe/osutil v1.5.0 // indirect
 	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
--- a/go.sum
+++ b/go.sum
@@ -434,8 +434,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
-github.com/tredoe/osutil/v2 v2.0.0-rc.16 h1:5A2SKvyB2c3lhPYUIHyFtu6jbaXlaA3Hu5gWIam8Pik=
-github.com/tredoe/osutil/v2 v2.0.0-rc.16/go.mod h1:uLRVx/3pb7Y4RQhG8cQFbPE9ha5r81e6MXpBsxbTAYc=
+github.com/tredoe/osutil v1.5.0 h1:UGVxbbHRoZi8xXVmbNZ2vgG6XoJ15ndE4LniiQ3rJKg=
+github.com/tredoe/osutil v1.5.0/go.mod h1:TEzphzUUunysbdDRfdOgqkg10POQbnfIPV50ynqOfIg=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
--- a/util/password/password.go
+++ b/util/password/password.go
@@ -27,6 +27,10 @@
 // additional permission if he deems it necessary to achieve the goals of this
 // additional permission.

+// Package password has some utility functions for dealing with misc passwords.
+// XXX: Please note, the "github.com/tredoe/osutil/user/crypt/sha512_crypt"
+// dependency is slightly suspicious and we should investigate it further to
+// make sure there are no supply chain issues with it.
 package password

 import (
@@ -41,7 +45,7 @@ import (
 	"syscall"
 	"time"

-	sha512Crypt "github.com/tredoe/osutil/v2/userutil/crypt/sha512_crypt"
+	sha512Crypt "github.com/tredoe/osutil/user/crypt/sha512_crypt"
 	"golang.org/x/sys/unix"
 )