Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package age for openSUSE:Factory checked in at 2024-12-20 23:11:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/age (Old) and /work/SRC/openSUSE:Factory/.age.new.1881 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "age" Fri Dec 20 23:11:29 2024 rev:5 rq:1232179 version:1.2.1 Changes: -------- --- /work/SRC/openSUSE:Factory/age/age.changes 2024-08-30 13:32:58.423950481 +0200 +++ /work/SRC/openSUSE:Factory/.age.new.1881/age.changes 2024-12-20 23:12:27.069001358 +0100 @@ -1,0 +2,11 @@ +Wed Dec 18 17:31:35 UTC 2024 - Martin Hauke <[email protected]> + +- Update to version 1.2.1 + * This release fixes a security vulnerability that could allow + an attacker to execute an arbitrary binary under certain + conditions. + See: https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c + * Plugin names may now only contain alphanumeric characters or + the four special characters +-._. + +------------------------------------------------------------------- Old: ---- age-1.2.0.tar.gz New: ---- age-1.2.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ age.spec ++++++ --- /var/tmp/diff_new_pack.rQwzAD/_old 2024-12-20 23:12:27.677026432 +0100 +++ /var/tmp/diff_new_pack.rQwzAD/_new 2024-12-20 23:12:27.677026432 +0100 @@ -2,7 +2,7 @@ # spec file for package age # # Copyright (c) 2024 SUSE LLC -# Copyright (c) 2021, Martin Hauke <[email protected]> +# Copyright (c) 2021-2024, Martin Hauke <[email protected]> # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: age -Version: 1.2.0 +Version: 1.2.1 Release: 0 Summary: A file encryption tool License: BSD-3-Clause ++++++ _service ++++++ --- /var/tmp/diff_new_pack.rQwzAD/_old 2024-12-20 23:12:27.709027752 +0100 +++ /var/tmp/diff_new_pack.rQwzAD/_new 2024-12-20 23:12:27.713027917 +0100 @@ -1,8 +1,8 @@ <services> - <service mode="disabled" name="set_version"> + <service name="set_version" mode="disabled"> <param name="basename">age</param> </service> - <service name="go_modules" mode="disabled"> + <service name="go_modules" mode="manual"> </service> </services> ++++++ age-1.2.0.tar.gz -> age-1.2.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/age-1.2.0/README.md new/age-1.2.1/README.md --- old/age-1.2.0/README.md 2024-06-16 16:01:06.000000000 +0200 +++ new/age-1.2.1/README.md 2024-12-18 16:01:18.000000000 +0100 @@ -157,6 +157,39 @@ Help from new packagers is very welcome. +### Verifying the release signatures + +If you download the pre-built binaries, you can check their +[Sigsum](https://www.sigsum.org) proofs, which are like signatures with extra +transparency: you can cryptographically verify that every proof is logged in a +public append-only log, so you can hold the age project accountable for every +binary release we ever produced. This is similar to what the [Go Checksum +Database](https://go.dev/blog/module-mirror-launch) provides. + +``` +cat << EOF > age-sigsum-key.pub +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1WpnEswJLPzvXJDiswowy48U+G+G1kmgwUE2eaRHZG +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAz2WM5CyPLqiNjk7CLl4roDXwKhQ0QExXLebukZEZFS +EOF +cat << EOF > sigsum-trust-policy.txt +log 154f49976b59ff09a123675f58cb3e346e0455753c3c3b15d465dcb4f6512b0b https://poc.sigsum.org/jellyfish +witness poc.sigsum.org/nisse 1c25f8a44c635457e2e391d1efbca7d4c2951a0aef06225a881e46b98962ac6c +witness rgdd.se/poc-witness 28c92a5a3a054d317c86fc2eeb6a7ab2054d6217100d0be67ded5b74323c5806 +group demo-quorum-rule all poc.sigsum.org/nisse rgdd.se/poc-witness +quorum demo-quorum-rule +EOF + +curl -JLO "https://dl.filippo.io/age/v1.2.0?for=darwin/arm64"; +curl -JLO "https://dl.filippo.io/age/v1.2.0?for=darwin/arm64&proof"; + +go install sigsum.org/sigsum-go/cmd/[email protected] +sigsum-verify -k age-sigsum-key.pub -p sigsum-trust-policy.txt \ + age-v1.2.0-darwin-arm64.tar.gz.proof < age-v1.2.0-darwin-arm64.tar.gz +``` + +You can learn more about what's happening above in the [Sigsum +docs](https://www.sigsum.org/getting-started/). + ## Usage For the full documentation, read [the age(1) man page](https://filippo.io/age/age.1). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/age-1.2.0/cmd/age/testdata/plugin.txt new/age-1.2.1/cmd/age/testdata/plugin.txt --- old/age-1.2.0/cmd/age/testdata/plugin.txt 2024-06-16 16:01:06.000000000 +0200 +++ new/age-1.2.1/cmd/age/testdata/plugin.txt 2024-12-18 16:01:18.000000000 +0100 @@ -10,6 +10,15 @@ cmp stdout input ! stderr . +# check that path separators are rejected +chmod 755 age-plugin-pwn/pwn +mkdir $TMPDIR/age-plugin-pwn +cp age-plugin-pwn/pwn $TMPDIR/age-plugin-pwn/pwn +! age -r age1pwn/pwn19gt89dfz input +! age -d -i pwn-identity.txt test.age +! age -d -j pwn/pwn test.age +! exists pwn + -- input -- test -- key.txt -- @@ -18,3 +27,8 @@ age1test10pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8 s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7qj6rl8p -- long-key.txt -- AGE-PLUGIN-TEST-10PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8 S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7Q5U8SUD +-- pwn-identity.txt -- +AGE-PLUGIN-PWN/PWN-19GYK4WLY +-- age-plugin-pwn/pwn -- +#!/bin/sh +touch "$WORK/pwn" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/age-1.2.0/cmd/age-keygen/keygen.go new/age-1.2.1/cmd/age-keygen/keygen.go --- old/age-1.2.0/cmd/age-keygen/keygen.go 2024-06-16 16:01:06.000000000 +0200 +++ new/age-1.2.1/cmd/age-keygen/keygen.go 2024-12-18 16:01:18.000000000 +0100 @@ -158,5 +158,5 @@ } func warning(msg string) { - log.Printf("age-keygen: warning: " + msg) + log.Printf("age-keygen: warning: %s", msg) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/age-1.2.0/internal/format/format.go new/age-1.2.1/internal/format/format.go --- old/age-1.2.0/internal/format/format.go 2024-06-16 16:01:06.000000000 +0200 +++ new/age-1.2.1/internal/format/format.go 2024-12-18 16:01:18.000000000 +0100 @@ -201,7 +201,7 @@ b, err := DecodeString(strings.TrimSuffix(string(line), "\n")) if err != nil { if bytes.HasPrefix(line, footerPrefix) || bytes.HasPrefix(line, stanzaPrefix) { - return nil, fmt.Errorf("malformed body line %q: stanza ended without a short line\nNote: this might be a file encrypted with an old beta version of age or rage. Use age v1.0.0-beta6 or rage to decrypt it.", line) + return nil, fmt.Errorf("malformed body line %q: stanza ended without a short line\nnote: this might be a file encrypted with an old beta version of age or rage; use age v1.0.0-beta6 or rage to decrypt it", line) } return nil, errorf("malformed body line %q: %v", line, err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/age-1.2.0/internal/stream/stream.go new/age-1.2.1/internal/stream/stream.go --- old/age-1.2.0/internal/stream/stream.go 2024-06-16 16:01:06.000000000 +0200 +++ new/age-1.2.1/internal/stream/stream.go 2024-12-18 16:01:18.000000000 +0100 @@ -12,7 +12,6 @@ "io" "golang.org/x/crypto/chacha20poly1305" - "golang.org/x/crypto/poly1305" ) const ChunkSize = 64 * 1024 @@ -29,7 +28,7 @@ } const ( - encChunkSize = ChunkSize + poly1305.TagSize + encChunkSize = ChunkSize + chacha20poly1305.Overhead lastChunkFlag = 0x01 ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/age-1.2.0/plugin/client.go new/age-1.2.1/plugin/client.go --- old/age-1.2.0/plugin/client.go 2024-06-16 16:01:06.000000000 +0200 +++ new/age-1.2.1/plugin/client.go 2024-12-18 16:01:18.000000000 +0100 @@ -9,13 +9,13 @@ import ( "bufio" - "bytes" "fmt" "io" "math/rand" "os" "path/filepath" "strconv" + "strings" "time" exec "golang.org/x/sys/execabs" @@ -179,6 +179,9 @@ func NewIdentityWithoutData(name string, ui *ClientUI) (*Identity, error) { s := EncodeIdentity(name, nil) + if s == "" { + return nil, fmt.Errorf("invalid plugin name: %q", name) + } return &Identity{ name: name, encoding: s, ui: ui, }, nil @@ -382,7 +385,6 @@ cmd *exec.Cmd io.Reader // stdout io.Writer // stdin - stderr bytes.Buffer close func() } @@ -392,6 +394,8 @@ path := "age-plugin-" + name if testOnlyPluginPath != "" { path = filepath.Join(testOnlyPluginPath, path) + } else if strings.ContainsRune(name, os.PathSeparator) { + return nil, fmt.Errorf("invalid plugin name: %q", name) } cmd := exec.Command(path, "--age-plugin="+protocol) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/age-1.2.0/plugin/encode.go new/age-1.2.1/plugin/encode.go --- old/age-1.2.0/plugin/encode.go 2024-06-16 16:01:06.000000000 +0200 +++ new/age-1.2.1/plugin/encode.go 2024-12-18 16:01:18.000000000 +0100 @@ -14,6 +14,9 @@ // EncodeIdentity encodes a plugin identity string for a plugin with the given // name. If the name is invalid, it returns an empty string. func EncodeIdentity(name string, data []byte) string { + if !validPluginName(name) { + return "" + } s, _ := bech32.Encode("AGE-PLUGIN-"+strings.ToUpper(name)+"-", data) return s } @@ -30,12 +33,18 @@ } name = strings.TrimSuffix(strings.TrimPrefix(hrp, "AGE-PLUGIN-"), "-") name = strings.ToLower(name) + if !validPluginName(name) { + return "", nil, fmt.Errorf("invalid plugin name: %q", name) + } return name, data, nil } // EncodeRecipient encodes a plugin recipient string for a plugin with the given // name. If the name is invalid, it returns an empty string. func EncodeRecipient(name string, data []byte) string { + if !validPluginName(name) { + return "" + } s, _ := bech32.Encode("age1"+strings.ToLower(name), data) return s } @@ -51,5 +60,21 @@ return "", nil, fmt.Errorf("not a plugin recipient: %v", err) } name = strings.TrimPrefix(hrp, "age1") + if !validPluginName(name) { + return "", nil, fmt.Errorf("invalid plugin name: %q", name) + } return name, data, nil } + +func validPluginName(name string) bool { + if name == "" { + return false + } + allowed := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-._" + for _, r := range name { + if !strings.ContainsRune(allowed, r) { + return false + } + } + return true +} ++++++ vendor.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/crypto/poly1305/poly1305_compat.go new/vendor/golang.org/x/crypto/poly1305/poly1305_compat.go --- old/vendor/golang.org/x/crypto/poly1305/poly1305_compat.go 2024-07-08 13:08:39.979525795 +0200 +++ new/vendor/golang.org/x/crypto/poly1305/poly1305_compat.go 1970-01-01 01:00:00.000000000 +0100 @@ -1,91 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package poly1305 implements Poly1305 one-time message authentication code as -// specified in https://cr.yp.to/mac/poly1305-20050329.pdf. -// -// Poly1305 is a fast, one-time authentication function. It is infeasible for an -// attacker to generate an authenticator for a message without the key. However, a -// key must only be used for a single message. Authenticating two different -// messages with the same key allows an attacker to forge authenticators for other -// messages with the same key. -// -// Poly1305 was originally coupled with AES in order to make Poly1305-AES. AES was -// used with a fixed key in order to generate one-time keys from an nonce. -// However, in this package AES isn't used and the one-time key is specified -// directly. -// -// Deprecated: Poly1305 as implemented by this package is a cryptographic -// building block that is not safe for general purpose use. -// For encryption, use the full ChaCha20-Poly1305 construction implemented by -// golang.org/x/crypto/chacha20poly1305. For authentication, use a general -// purpose MAC such as HMAC implemented by crypto/hmac. -package poly1305 // import "golang.org/x/crypto/poly1305" - -import "golang.org/x/crypto/internal/poly1305" - -// TagSize is the size, in bytes, of a poly1305 authenticator. -// -// For use with golang.org/x/crypto/chacha20poly1305, chacha20poly1305.Overhead -// can be used instead. -const TagSize = 16 - -// Sum generates an authenticator for msg using a one-time key and puts the -// 16-byte result into out. Authenticating two different messages with the same -// key allows an attacker to forge messages at will. -func Sum(out *[16]byte, m []byte, key *[32]byte) { - poly1305.Sum(out, m, key) -} - -// Verify returns true if mac is a valid authenticator for m with the given key. -func Verify(mac *[16]byte, m []byte, key *[32]byte) bool { - return poly1305.Verify(mac, m, key) -} - -// New returns a new MAC computing an authentication -// tag of all data written to it with the given key. -// This allows writing the message progressively instead -// of passing it as a single slice. Common users should use -// the Sum function instead. -// -// The key must be unique for each message, as authenticating -// two different messages with the same key allows an attacker -// to forge messages at will. -func New(key *[32]byte) *MAC { - return &MAC{mac: poly1305.New(key)} -} - -// MAC is an io.Writer computing an authentication tag -// of the data written to it. -// -// MAC cannot be used like common hash.Hash implementations, -// because using a poly1305 key twice breaks its security. -// Therefore writing data to a running MAC after calling -// Sum or Verify causes it to panic. -type MAC struct { - mac *poly1305.MAC -} - -// Size returns the number of bytes Sum will return. -func (h *MAC) Size() int { return TagSize } - -// Write adds more data to the running message authentication code. -// It never returns an error. -// -// It must not be called after the first call of Sum or Verify. -func (h *MAC) Write(p []byte) (n int, err error) { - return h.mac.Write(p) -} - -// Sum computes the authenticator of all data written to the -// message authentication code. -func (h *MAC) Sum(b []byte) []byte { - return h.mac.Sum(b) -} - -// Verify returns whether the authenticator of all data written to -// the message authentication code matches the expected value. -func (h *MAC) Verify(expected []byte) bool { - return h.mac.Verify(expected) -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/modules.txt new/vendor/modules.txt --- old/vendor/modules.txt 2024-07-08 13:08:40.096194898 +0200 +++ new/vendor/modules.txt 2024-12-18 18:31:04.000000000 +0100 @@ -29,7 +29,6 @@ golang.org/x/crypto/internal/alias golang.org/x/crypto/internal/poly1305 golang.org/x/crypto/pbkdf2 -golang.org/x/crypto/poly1305 golang.org/x/crypto/scrypt golang.org/x/crypto/ssh golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
