Skip to content
This repository has been archived by the owner on May 21, 2022. It is now read-only.

Migrating Maintenance #462

Open
dgrijalva opened this issue Apr 9, 2021 · 31 comments
Open

Migrating Maintenance #462

dgrijalva opened this issue Apr 9, 2021 · 31 comments

Comments

@dgrijalva
Copy link
Owner

See: #457

I haven't had time to maintain this project for quite a while. I originally made it just for myself, but it appears to have become quite popular. It seems like the best course of action would be to clone this into its own org and then set this repo up to mirror that one until users can fully migrate over. That's probably also a good opportunity to correctly implement go mod support.

Does anybody want to take over as maintainer? It looks like jwt-go already exists as a github org. Name ideas?

@ripienaar
Copy link

Pinging a few who were involved in earlier discussions: @camin-mccluskey @Waterdrips @mcoops @lggomez @adamchalmers @alexells @brianmay

@ripienaar
Copy link

I'd be happy to start an org and contribute, but I'd need at least 3 others to stand up and be willing to be co maintainers as this is quite a popular lib I think good coverage is needed.

In the absence I'd vote for:

  • Merges for the recent security release and one final release from @dgrijalva if he has that much time
  • README is updated with links to alternative
  • The project get archived having at least the major security issue fixed, thus sending a clear signal that this is the end for this one.

@Waterdrips
Copy link
Contributor

I haven't had time to maintain this project for quite a while. I originally made it just for myself, but it appears to have become quite popular.

Many thanks for your work on this project @dgrijalva.

I'd be happy to start an org and contribute, but I'd need at least 3 others to stand up and be willing to be co maintainers as this is quite a popular lib I think good coverage is needed.

Happy to be involved, under the same caveat of enough other co-maintainers

@mfridman
Copy link

Indeed, thank you for the implementation and maintaining it over the many years @dgrijalva

I'd be happy to start an org and contribute, but I'd need at least 3 others to stand up and be willing to be co maintainers as this is quite a popular lib I think good coverage is needed.

I echo this sentiment and would be happy to get involved (with the caveat there would be a few others). I think this is important for a few reasons:

  1. I have (and am familiar with) many downstream projects that either wrap or use this library
  2. It is so widely used in the Go ecosystem and deserves to be maintained
  3. It'd be a shame to see fragmentation as libraries like this benefit from the collective usage of many

@lggomez
Copy link

lggomez commented Apr 28, 2021

Sorry for the delay in my response. Also glad to see that @dgrijalva is alive after all and was just a lack of time issue. I wouldn't mind lending a hand in the project, under the clarification that my availability may be bound to work and study (as I guess it does for most of you folks). Aside from the work I did to locally port the claims fix and perform a quick glance of the code base, I see there is a lot of work which is already done to process (as for the v4 branch and all of the open PRs)

@ripienaar
Copy link

Ok so it looks like we at least have a number of initially interested maintainers.

What should we call the org?

initial names for maintainers appear to be me, @Waterdrips @mfridman and @lggomez

I need to read a bit how to create an org that’s fully independent on GitHub but let’s see if we can agree on a name first

@Waterdrips
Copy link
Contributor

go-jot or jot-go? names are hard. Using the spelling of the pronunciation of JWT instead of the acronym?

@lggomez
Copy link

lggomez commented Apr 28, 2021

go-jot or jot-go? names are hard. Using the spelling of the pronunciation of JWT instead of the acronym?

As long as it doesn't have got on its name I'm on board with any of both. I'd propose a more descriptive alternative maybe but the only one I can think of (it's 9 AM here 😪) would be the inverse of the package, go-jwt but it is already taken (and also is the package name, jwt-go.

Note that golang-jwt and jwt-golang seem to be available

Using the spelling of the pronunciation of JWT instead of the acronym?

Something on this route could work also

@mfridman
Copy link

I like the explicitness of golang-jwt and it's also good for search-ability, as most users would search "golang" + "jwt"

My vote is for golang-jwt or go-jot.

An alternative might be to approach existing community orgs with a focus on oss Go packages? E.g.,

https://github.com/pkg
https://github.com/friendsofgo
https://github.com/goware


I doubt this would get accepted into the go /x/ package, but that would be the ideal scenario whereby the community would have an "officially" supported JWT package that has some backing from the Go team.

@ripienaar
Copy link

Hmm, was not aware of those groups, definitely worth approaching ones with 3+ maintainers I think

@lggomez
Copy link

lggomez commented Apr 28, 2021

I like the explicitness of golang-jwt and it's also good for search-ability, as most users would search "golang" + "jwt"

My vote is for golang-jwt or go-jot.

An alternative might be to approach existing community orgs with a focus on oss Go packages? E.g.,

https://github.com/pkg
https://github.com/friendsofgo
https://github.com/goware

I doubt this would get accepted into the go /x/ package, but that would be the ideal scenario whereby the community would have an "officially" supported JWT package that has some backing from the Go team.

I would mention https://github.com/gofrs, which is a group composed of new maintainers of previously abandoned or deprecated projects such as https://github.com/gofrs/uuid

@ripienaar
Copy link

gofrs look pretty good, do any of us know any of the maintainers on these projects?

@mfridman
Copy link

gofrs is probably the best option. (they are in #gofrs on the gophers slack, if you're there)

Just want to throw out other alternatives, thoughts?

  1. there appears to already be a maintained fork? https://github.com/form3tech-oss/jwt-go
  2. keep this repo as-is but request maintainer access to a few folks on dgrijalva/jwt-go (not sure if @dgrijalva is comfortable with that)

@ripienaar
Copy link

The reason we mentioned 1 as not an option is because (I at least) felt a independantly maintained project is best rather than one associated with some company.

@mfridman
Copy link

mfridman commented May 4, 2021

Unless no objections, I'll submit an issue for gofrs by end of day.

https://github.com/gofrs/help-requests

EDIT: linking for brevity (another issue was already opened) at gofrs/help-requests#41

@mfridman
Copy link

mfridman commented May 13, 2021

In case we don't get any responses on gofrs/help-requests#41 I propose creating a separate repo among those interested within this thread.

golang-jwt/jwt or go-jot/jwt or other, any preferences?

...
What should we call the org?

initial names for maintainers appear to be me, @Waterdrips @mfridman and @lggomez

I need to read a bit how to create an org that’s fully independent on GitHub but let’s see if we can agree on a name first

EDIT: I'll give it another ~week or so, and if no response will setup a repo here and invite the others that were interested:

https://github.com/golang-jwt/jwt

@mcoops
Copy link

mcoops commented May 14, 2021

I'm a fan of golang-jwt/jwt

@oxisto
Copy link

oxisto commented May 18, 2021

In case we don't get any responses on gofrs/help-requests#41 I propose creating a separate repo among those interested within this thread.

golang-jwt/jwt or go-jot/jwt or other, any preferences?

...
What should we call the org?
initial names for maintainers appear to be me, @Waterdrips @mfridman and @lggomez
I need to read a bit how to create an org that’s fully independent on GitHub but let’s see if we can agree on a name first

EDIT: I'll give it another ~week or so, and if no response will setup a repo here and invite the others that were interested:

https://github.com/golang-jwt/jwt

Being a little late to the party… are you still looking for co-maintainers? I would be very interested and willing to help. Stemming from my professional work as a security researcher, this project is quite close to my heart. golang-jwt sounds reasonable to me.

@mfridman
Copy link

...It seems like the best course of action would be to clone this into its own org and then set this repo up to mirror that one until users can fully migrate over. That's probably also a good opportunity to correctly implement go mod support.

@dgrijalva A clone (not fork) was created here: https://github.com/golang-jwt/jwt

What is your preference ..

  1. Transfer repository to the golang-jwt org, as described here?
  2. Archive https://github.com/dgrijalva/jwt-go with a README pointing to the newly cloned repo, golang-jwt/jwt?

Or did you have another approach in mind?

@dgrijalva
Copy link
Owner Author

Hi! Sorry for the delay. It looks like we're moving in the direction of https://github.com/golang-jwt/jwt? I have no real preference other than wanting to be careful not to break things for people currently using the library. Ideally, that means this URL remains available (for a while) and includes instructions to help people migrate to the new location.

@dgrijalva
Copy link
Owner Author

There seems to be a few different approaches still on the table here. Can we get to a consensus on:

  • who's going to raise their hand to be a maintainer (ideally a few people)
  • where will the repository live?
  • what steps will we take to migrate the project?
  • what instructions will we provide to users of the library to keep their projects working?

A simple option to start might be to just give maintainer access to a few people right in place. That will allow us to get out updates and address major issues while the rest is sorted out. Does anybody know if there's a reason that might be a bad idea?

@mcoops
Copy link

mcoops commented May 27, 2021

A simple option to start might be to just give maintainer access to a few people right in place. That will allow us to get out updates and address major issues while the rest is sorted out. Does anybody know if there's a reason that might be a bad idea?

This is preferable and would allow the critical security issues to be addressed at least, I assume you mean on the new repo not this one?

who's going to raise their hand to be a maintainer (ideally a few people)

Whoever has said yes in this thread so far (including myself) I think to begin with.

where will the repository live?

It's done? https://github.com/golang-jwt/jwt

what instructions will we provide to users of the library to keep their projects working?

I think this will simply just be a notice on this repo advising people to start migrating over? Otherwise we might be able to do a github redirect, but I think that might be unclear then what's happening.

zwass added a commit to fleetdm/fleet that referenced this issue Aug 6, 2021
- The former repo has been migrated (see
  dgrijalva/jwt-go#462).

- Dependabot alerted on a security issue in the old
  version (GHSA-w73w-5m7g-f7qc). This issue
  should not effect Fleet due to no use of `aud` claims.
JustSomeCarbon pushed a commit to influxdata/flux that referenced this issue Aug 9, 2021
…3901)

The dgrijalva/jwt-go project is no longer maintained and has a security
vulnerability. Update our dependencies that pull in jwt-go to new
versions that use the security-patched form3tech-oss/jwt-go.

The following was performed:

1. update go.mod to use go-autorest/autorest/adal v0.9.5 (the first
   release to use form3tech-oss/jwt-go)
2. update go.mod to use go-autorest/autorest/azure/auth v0.5.3 (the
   first release to use adal v0.9.5)
3. update go.mod to use snowflakedb/gosnowflake v1.3.13 (the latest
   1.3.x release, which uses form3tech-oss/jwt-go)
4. go mod tidy
5. make test

References:
- dgrijalva/jwt-go#462
jhernand added a commit to jhernand/ocm-sdk-go that referenced this issue Aug 10, 2021
The `dgrijalva/jwt-go` library is no longer maintained and `golang-jwt/jwt` is a
community maintained fork. See dgrijalva/jwt-go#462
for detailts.

Parts of the public interface of the SDK use this library, so this is a
backwards compatibility breaking change. Projects using the SDK will need to
switch to the new library, specially if they are using the
`context.ContextWithToken` or `context.TokenFromContext` functions. The change
should only require changing the import paths, as the fork is fully compatible
with the original library.

A simple way to do the required changes is the following command:

```
$ find . -name '*.go' | xargs sed -i 's|dgrijalva/jwt-go|golang-jwt/jwt|'
```

This also addresses CVE-2020-26160, but that vulnerability doesn't
currently affect the SDK because the authentication handler doesn't use
the `aud` claim.

Related: openshift-online#421
Related: dgrijalva/jwt-go#462
Related: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
Signed-off-by: Juan Hernandez <[email protected]>
jhernand added a commit to jhernand/ocm-cli that referenced this issue Aug 11, 2021
The more relevant change in the new version of the SDK is the switch
from `dgrijalva/jwt-go` to `golang-jwt/jwt`.

Related: openshift-online/ocm-sdk-go#421
Related: dgrijalva/jwt-go#462
Signed-off-by: Juan Hernandez <[email protected]>
mtraver added a commit to mtraver/iotcore that referenced this issue Aug 12, 2021
See dgrijalva/jwt-go#462 for more info. This also addresses
CVE-2020-26160 since github.com/golang-jwt/jwt v3.2.1 fixes the issue.
lwsanty pushed a commit to lwsanty/go-jira that referenced this issue Aug 18, 2021
andygrunwald#343

 https://github.com/dgrijalva/jwt-go has been abondoned (see dgrijalva/jwt-go#462). In order to fix the vulnarability we have to switch to a community driven fork https://github.com/golang-jwt/jwt . The issue has been fixed in golang-jwt/jwt#12

(cherry picked from commit fff481a)
lwsanty added a commit to lwsanty/go-jira that referenced this issue Aug 18, 2021
andygrunwald#343

 https://github.com/dgrijalva/jwt-go has been abondoned (see dgrijalva/jwt-go#462). In order to fix the vulnarability we have to switch to a community driven fork https://github.com/golang-jwt/jwt . The issue has been fixed in golang-jwt/jwt#12

(cherry picked from commit fff481a)

Co-authored-by: Yar Krvtsov <[email protected]>
longsleep added a commit to longsleep-io/lico that referenced this issue Oct 15, 2021
longsleep added a commit to libregraph/lico that referenced this issue Oct 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests