Skip to content

Use cryptohash-sha256, not crypton, for SHA256 hashes#640

Merged
sol merged 1 commit intomainfrom
sha256
Mar 7, 2026
Merged

Use cryptohash-sha256, not crypton, for SHA256 hashes#640
sol merged 1 commit intomainfrom
sha256

Conversation

@mpilgrem
Copy link
Collaborator

@mpilgrem mpilgrem commented Mar 5, 2026

My general motivation is to reduce indirect dependencies on memory and basement (which are unmaintained) (a goal I have for Stack). This eliminates a dependency on crypton.

However, in addition, hpack only uses crypton for SHA256 hashes. cryptohash-sha256 is a lightweight package for that single purpose.

@sol
Copy link
Owner

sol commented Mar 7, 2026

@mpilgrem apparently released versions Hpack stopped building https://github.com/sol/hpack/actions/runs/22788497963/job/66110378136, which I think is unfortunate.

cc @kazu-yamamoto

@sol sol merged commit b982acf into main Mar 7, 2026
9 checks passed
@sol sol deleted the sha256 branch March 7, 2026 09:05
@sol
Copy link
Owner

sol commented Mar 7, 2026

main is also broken

@mpilgrem
Copy link
Collaborator Author

mpilgrem commented Mar 7, 2026

@sol, I will look into that.

mpilgrem added a commit that referenced this pull request Mar 7, 2026
@mpilgrem
Re #640 Add an upper bound on crypton
9325ae9
@mpilgrem mpilgrem mentioned this pull request Mar 7, 2026
Merged
mpilgrem added a commit that referenced this pull request Mar 7, 2026
@mpilgrem
Re #640 Add an upper bound on crypton
a3129d9
mpilgrem added a commit that referenced this pull request Mar 7, 2026
@mpilgrem
Re #640 Add an upper bound on crypton
9af7d9b
mpilgrem added a commit that referenced this pull request Mar 7, 2026
@mpilgrem
Re #640 Add an upper bound on crypton (#642)
09d66a3 
See:
* #640
* #641
* snoyberg/http-client#573

The immediate problem is that direct dependency `http-client-tls <=
0.3.6.4` does not support newly-released `crypton-1.1.0` (an indirect
dependency of `hpack`) but does not, itself, specify an upper bound on
`crypton`.
@kazu-yamamoto
Copy link

kazu-yamamoto commented Mar 7, 2026
edited
Loading

One thing I found is that boundary of tls v2.2 is loose. It must use hpke v0.0.0, not v0.1.0. I will update the metadata of Hackage.

@kazu-yamamoto
Copy link

kazu-yamamoto commented Mar 7, 2026

@sol Sorry for your inconvenience. This is my fault. I have updated metadata of tls v2.2.2. Would you run CI again?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mpilgrem @sol @kazu-yamamoto