-
Notifications
You must be signed in to change notification settings - Fork 995
Migrating Maintenance #462
Comments
Pinging a few who were involved in earlier discussions: @camin-mccluskey @Waterdrips @mcoops @lggomez @adamchalmers @alexells @brianmay |
I'd be happy to start an org and contribute, but I'd need at least 3 others to stand up and be willing to be co maintainers as this is quite a popular lib I think good coverage is needed. In the absence I'd vote for:
|
Many thanks for your work on this project @dgrijalva.
Happy to be involved, under the same caveat of enough other co-maintainers |
Indeed, thank you for the implementation and maintaining it over the many years @dgrijalva
I echo this sentiment and would be happy to get involved (with the caveat there would be a few others). I think this is important for a few reasons:
|
Sorry for the delay in my response. Also glad to see that @dgrijalva is alive after all and was just a lack of time issue. I wouldn't mind lending a hand in the project, under the clarification that my availability may be bound to work and study (as I guess it does for most of you folks). Aside from the work I did to locally port the claims fix and perform a quick glance of the code base, I see there is a lot of work which is already done to process (as for the v4 branch and all of the open PRs) |
Ok so it looks like we at least have a number of initially interested maintainers. What should we call the org? initial names for maintainers appear to be me, @Waterdrips @mfridman and @lggomez I need to read a bit how to create an org that’s fully independent on GitHub but let’s see if we can agree on a name first |
|
As long as it doesn't have Note that
Something on this route could work also |
I like the explicitness of My vote is for An alternative might be to approach existing community orgs with a focus on oss Go packages? E.g., https://github.com/pkg I doubt this would get accepted into the go /x/ package, but that would be the ideal scenario whereby the community would have an "officially" supported JWT package that has some backing from the Go team. |
Hmm, was not aware of those groups, definitely worth approaching ones with 3+ maintainers I think |
I would mention https://github.com/gofrs, which is a group composed of new maintainers of previously abandoned or deprecated projects such as https://github.com/gofrs/uuid |
|
Just want to throw out other alternatives, thoughts?
|
The reason we mentioned 1 as not an option is because (I at least) felt a independantly maintained project is best rather than one associated with some company. |
Unless no objections, I'll submit an issue for https://github.com/gofrs/help-requests EDIT: linking for brevity (another issue was already opened) at gofrs/help-requests#41 |
In case we don't get any responses on gofrs/help-requests#41 I propose creating a separate repo among those interested within this thread.
EDIT: I'll give it another ~week or so, and if no response will setup a repo here and invite the others that were interested: |
I'm a fan of golang-jwt/jwt |
Being a little late to the party… are you still looking for co-maintainers? I would be very interested and willing to help. Stemming from my professional work as a security researcher, this project is quite close to my heart. |
@dgrijalva A clone (not fork) was created here: https://github.com/golang-jwt/jwt What is your preference ..
Or did you have another approach in mind? |
Hi! Sorry for the delay. It looks like we're moving in the direction of https://github.com/golang-jwt/jwt? I have no real preference other than wanting to be careful not to break things for people currently using the library. Ideally, that means this URL remains available (for a while) and includes instructions to help people migrate to the new location. |
There seems to be a few different approaches still on the table here. Can we get to a consensus on:
A simple option to start might be to just give maintainer access to a few people right in place. That will allow us to get out updates and address major issues while the rest is sorted out. Does anybody know if there's a reason that might be a bad idea? |
This is preferable and would allow the critical security issues to be addressed at least, I assume you mean on the new repo not this one?
Whoever has said yes in this thread so far (including myself) I think to begin with.
It's done? https://github.com/golang-jwt/jwt
I think this will simply just be a notice on this repo advising people to start migrating over? Otherwise we might be able to do a github redirect, but I think that might be unclear then what's happening. |
- The former repo has been migrated (see dgrijalva/jwt-go#462). - Dependabot alerted on a security issue in the old version (GHSA-w73w-5m7g-f7qc). This issue should not effect Fleet due to no use of `aud` claims.
…3901) The dgrijalva/jwt-go project is no longer maintained and has a security vulnerability. Update our dependencies that pull in jwt-go to new versions that use the security-patched form3tech-oss/jwt-go. The following was performed: 1. update go.mod to use go-autorest/autorest/adal v0.9.5 (the first release to use form3tech-oss/jwt-go) 2. update go.mod to use go-autorest/autorest/azure/auth v0.5.3 (the first release to use adal v0.9.5) 3. update go.mod to use snowflakedb/gosnowflake v1.3.13 (the latest 1.3.x release, which uses form3tech-oss/jwt-go) 4. go mod tidy 5. make test References: - dgrijalva/jwt-go#462
The `dgrijalva/jwt-go` library is no longer maintained and `golang-jwt/jwt` is a community maintained fork. See dgrijalva/jwt-go#462 for detailts. Parts of the public interface of the SDK use this library, so this is a backwards compatibility breaking change. Projects using the SDK will need to switch to the new library, specially if they are using the `context.ContextWithToken` or `context.TokenFromContext` functions. The change should only require changing the import paths, as the fork is fully compatible with the original library. A simple way to do the required changes is the following command: ``` $ find . -name '*.go' | xargs sed -i 's|dgrijalva/jwt-go|golang-jwt/jwt|' ``` This also addresses CVE-2020-26160, but that vulnerability doesn't currently affect the SDK because the authentication handler doesn't use the `aud` claim. Related: openshift-online#421 Related: dgrijalva/jwt-go#462 Related: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160 Signed-off-by: Juan Hernandez <[email protected]>
The more relevant change in the new version of the SDK is the switch from `dgrijalva/jwt-go` to `golang-jwt/jwt`. Related: openshift-online/ocm-sdk-go#421 Related: dgrijalva/jwt-go#462 Signed-off-by: Juan Hernandez <[email protected]>
See dgrijalva/jwt-go#462 for more info. This also addresses CVE-2020-26160 since github.com/golang-jwt/jwt v3.2.1 fixes the issue.
andygrunwald#343 https://github.com/dgrijalva/jwt-go has been abondoned (see dgrijalva/jwt-go#462). In order to fix the vulnarability we have to switch to a community driven fork https://github.com/golang-jwt/jwt . The issue has been fixed in golang-jwt/jwt#12 (cherry picked from commit fff481a)
andygrunwald#343 https://github.com/dgrijalva/jwt-go has been abondoned (see dgrijalva/jwt-go#462). In order to fix the vulnarability we have to switch to a community driven fork https://github.com/golang-jwt/jwt . The issue has been fixed in golang-jwt/jwt#12 (cherry picked from commit fff481a) Co-authored-by: Yar Krvtsov <[email protected]>
See: #457
I haven't had time to maintain this project for quite a while. I originally made it just for myself, but it appears to have become quite popular. It seems like the best course of action would be to clone this into its own org and then set this repo up to mirror that one until users can fully migrate over. That's probably also a good opportunity to correctly implement go mod support.
Does anybody want to take over as maintainer? It looks like
jwt-go
already exists as a github org. Name ideas?The text was updated successfully, but these errors were encountered: