Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

This project is currently not under active development #388

Open
bzvestey opened this issue Aug 12, 2022 · 20 comments
Open

This project is currently not under active development #388

bzvestey opened this issue Aug 12, 2022 · 20 comments

Comments

@bzvestey
Copy link
Contributor

Hello everyone, we here at OneLogin wanted to let you know that this project is currently not under active development. We apologize for recent silence and continued wait, but we intend to resume maintenance in the future.

Note that I am unable to make any more changes to this repository, and I don't have someone I can forward you to at this time.

@mauromol
Copy link
Contributor

mauromol commented Aug 12, 2022

Two proposals from me:

  1. may I become a committer to maintain this project, although on a voluntary basis and with no warranty at all with regards to time and features?
  2. as an alternative, if I were to create a somewhat long term fork of this project, can I continue to use onelogin names in one or more of these locations:
    1. package names
    2. preferences names
    3. Maven artifact names (e.g. group id)
    4. anything else I cannot think of right now?

By the way, is @eriktalvi involved in this project any more?

@haavar
Copy link

haavar commented Aug 12, 2022

@mauromol I would also be interested in taking over maintenance of this project. I was considering making a fork for my own purpose or maybe writing one from scratch that suits my needs, but neither one of those options are obviously not ideal.

Depending on onelogin's stand on this, we could start a new fork without any onelogin references. I don't think the migration for any clients using this would be too cumbersome.

I can commit a fair bit of time to this, as the alternative would pretty much mean writing my own.

@pitbulk
Copy link
Contributor

pitbulk commented Aug 15, 2022

Hi @mauromol,

Im also considering to fork all SAML repos and try at least to give them critical support/maintenance, not only the java-saml one.

I will try to contact someone at OneLogin to see if that gonna be possible.

@mrmoss
Copy link

mrmoss commented Aug 15, 2022

Hi all - Engineer at OneLogin here. Starting the process to get these all transferred over to @pitbulk. Not sure how long it will take, but since they are already opensource, I don't see how they can be against it...

@mauromol
Copy link
Contributor

Thanks for the news and thanks @pitbulk for stepping up. I hope the transition for this project will be quick.

@kleptog
Copy link

kleptog commented Sep 27, 2022

How's it going with the transfer? And does this include the rights to update the packages on PyPi?

@eriktalvi
Copy link

Development Update. OneLogin is releasing these projects to a new organization with @pitbulk. This migration is actively happening and the priority is to make the transition as seamless as possible for end users of these repo/packages.

We expect that there are several questions that you all have and we are working with @pitbulk to answer those in our next update. Below are some answers we have for you now.

What is being changed?
The repos/packages will no longer be officially supported and hosted by OneLogin. This means that they will not be in the OneLogin Github org but in a new org, SAML Tools. References to the repos being provided and supported by OneLogin Inc will be removed.

Which projects are being moved?
All SAML repos will be moved. This includes: java-saml, python3-saml, wordpress-saml, moodle-saml, joomla-saml, drupal-saml, and dotnet-saml

When will this transfer happen?
We expect this to be completed by the end of the year, Dec 31 2022.

Why is this transfer happening?
OneLogin is releasing control of these open source repos so that these repos can maintained by community instead.

When will the next update be?
To keep you all informed of status, we will give monthly updates of how the transfer is proceeding.

@eriktalvi eriktalvi reopened this Nov 1, 2022
@danielstravito
Copy link

December ping :)

@eriktalvi
Copy link

Development Update. Although it may not seem like it, the last month had a lot of progress and the primary SAML Toolkit repos and packages have been transferred from OneLogin to this new SAML Toolkit Org.

@pitbulk now has all the access needed to maintain these toolkits and will be providing his own update.

There has been a lot of pent up demand for support on these repos and now that this transfer is finished you should expect to see a lot more progress on that!

There are still four repos (wordpress-saml, moodle-saml, joomla-saml, drupal-saml) left to transfer and these will be finished in the upcoming weeks.

Cheers!

(Thanks for the ping @danielstravito )

@eyalyatir
Copy link

January update?

@eriktalvi
Copy link

I'll let at @pitbulk give a longer update, but the migration has happened and these repos are now part of the SAML-Toolkits org.

@pitbulk
Copy link
Contributor

pitbulk commented Jan 17, 2023

@eyalyatir , @danielstravito

I started to provide support to the SAML toolkits.

I started with the python-saml and python3-saml repos, continued with the ruby-saml and now Im working on the php-saml toolkit. The java-saml gonna be the next one, but first I need to update and release the php-saml toolkit.

Once I clean, reply issues, take care of old PRs, update dependencies and make an official release, the maintenance on all repos will be done in paralel, but there was a lot of work to be done and Im doing it in my spare time that is very limited atm.
Doing my best, :)

@danieltaylor
Copy link

@eriktalvi, correct me if I'm wrong, but it appears that not all of the projects mentioned above have been migrated yet? I am particularly interested in the migration of wordpress-saml, which seems to still be pending migration per @pitbulk's comment this last May. Would it be possible to get an update on this?

Thank you for your efforts to allow the continued open-source development of these projects!

@sebastianmichalski
Copy link

How is the progress with java-saml?

@coffeebeantraining
Copy link

How is the progress with java-saml?

Looks like @pitbulk moved on from onelogin awhile ago.
https://www.linkedin.com/in/sixtomartin/?locale=en_US
I also am needing a Jakarta version since we're operating with TomEE instead of Tomcat.

@mrmoss
Copy link

mrmoss commented Apr 11, 2024

How is the progress with java-saml?

Looks like @pitbulk moved on from onelogin awhile ago. https://www.linkedin.com/in/sixtomartin/?locale=en_US I also am needing a Jakarta version since we're operating with TomEE instead of Tomcat.

Really late to this, but a little background on OneLogin: OneLogin doesn't have engineers anymore (there's less than 10 people in the engineering side of things these days...probably less than 5 now...and they will be going away as soon as the company can extract knowledge from them). OneLogin was bought out by private equity and everything has been contracted to outside of the company. Opensource libraries were essentially the first thing abandoned once they were acquired (well, except for the employees).

There's a single person (@pitbulk) really looking at any repo under this org. I don't know how he does it. After working at OneLogin, my personal desire to code or engineer is completely gone. That company trampled the spirits of a lot of engineers.

TLDR - Every project in this org is maintained by one engineer with a full time job and a personal life working for free.

If you work for a company utilizing this code, it might be worth telling them to send a paycheck to @pitbulk or @eriktalvi for any critical improvements.

Note: Erik is the one that fought for these repos to be handed over to Sixto. Without him, these would have been slowly killed and possibly made private. It took nearly a year to get this done.

@dsvensson
Copy link

dsvensson commented Apr 11, 2024

If it took nearly a year to get this in place, why just let it rot now? This background information makes it feel even more destructive what's going on in #395 where people have reached out to help with maintainership only to be met with silence, and empty promises of "I'll look into this RSN". Better try to find some solid names before JiaT75 enters the chat.

Broadening the set of co-maintainers doesn't necessarily have to mean handing over the keys to the castle like in the xz case, merely reducing the overall burden.

@mrmoss
Copy link

mrmoss commented Apr 11, 2024

@dsvensson Everyone only has so much energy. Vetting someone to take over is not zero work. When it comes to SAML specifically, the potential for things to go wrong is high.

I think you're asking the wrong question: Why should the weight of a set of repos, used primarily by companies, with record profits, rest upon the actions of one person for zero compensation?

Pressure to give free labor at the expense of one's well being is what enabled the JiaT75 situation. Complaining that the repo is not well maintained enough is literally how JiaT75 got commit rights in the first place.

The mental health of opensource contributors is greater than the needs of companies. If they cannot wait for the maintainer to find time, then they either need to compensate said maintainer so they prioritize the efforts OR they need to do the work themselves.

The code is open. Nothing is stopping anyone from forking it.

@haavar
Copy link

haavar commented Apr 25, 2024

I completely understand that peoples time and energy is limited, and I certainly understand why the original maintainers would not want to keep working on this. I am not trying to make someone do something they don't want to. I'm simply trying to evaluate if this project is end of life or not, and if it is EOL then I want to see if there is a community to brig it forward.

From this exchange it sounds like we are at the end of the road for this repo. I don't have any way of paying contributors to maintain this project. Even if I did, I don't think I could rely heavily on a project that only gets critical updates.

I have a vested interest in the java-common-core module, and I no problems justifying spending work hours on that. I will start looking into what a fork would look like under the MIT license and my workplace policies, and weighing the red tape of that vs starting a library from scratch.

Are there others that are willing to contribute to either a fork, or this current repo if @pitbulk would be willing to vet us.

I just want to stress that I appreciate the effort that has been put into this project, and I'm not trying coerce anyone into doing something that they don't want.

@pitbulk
Copy link
Contributor

pitbulk commented Apr 26, 2024

@haavar, I'm always open to collaborations, but as we saw in the recent XZ Utils issue, I am responsible for the final release and what is pushed. Sadly, it is not that easy to grant 2-3 new maintainers permissions and allow them to take care of the project.

The current challenge is that I had no time to review the work done by @markkolich at #395 and find a way to adapt it in a way, that current java projects will keep working after an update.

@haavar if you or any can spend time on this task and unblock this part, rest of the work gonna be a matter of fixing some expired payloads used on test, review and merge some pending PRs and do the release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests