-
Notifications
You must be signed in to change notification settings - Fork 400
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This project is currently not under active development #388
Comments
Two proposals from me:
By the way, is @eriktalvi involved in this project any more? |
@mauromol I would also be interested in taking over maintenance of this project. I was considering making a fork for my own purpose or maybe writing one from scratch that suits my needs, but neither one of those options are obviously not ideal. Depending on onelogin's stand on this, we could start a new fork without any onelogin references. I don't think the migration for any clients using this would be too cumbersome. I can commit a fair bit of time to this, as the alternative would pretty much mean writing my own. |
Hi @mauromol, Im also considering to fork all SAML repos and try at least to give them critical support/maintenance, not only the java-saml one. I will try to contact someone at OneLogin to see if that gonna be possible. |
Hi all - Engineer at OneLogin here. Starting the process to get these all transferred over to @pitbulk. Not sure how long it will take, but since they are already opensource, I don't see how they can be against it... |
Thanks for the news and thanks @pitbulk for stepping up. I hope the transition for this project will be quick. |
How's it going with the transfer? And does this include the rights to update the packages on PyPi? |
Development Update. OneLogin is releasing these projects to a new organization with @pitbulk. This migration is actively happening and the priority is to make the transition as seamless as possible for end users of these repo/packages. We expect that there are several questions that you all have and we are working with @pitbulk to answer those in our next update. Below are some answers we have for you now. What is being changed? Which projects are being moved? When will this transfer happen? Why is this transfer happening? When will the next update be? |
December ping :) |
Development Update. Although it may not seem like it, the last month had a lot of progress and the primary SAML Toolkit repos and packages have been transferred from OneLogin to this new SAML Toolkit Org. @pitbulk now has all the access needed to maintain these toolkits and will be providing his own update. There has been a lot of pent up demand for support on these repos and now that this transfer is finished you should expect to see a lot more progress on that! There are still four repos (wordpress-saml, moodle-saml, joomla-saml, drupal-saml) left to transfer and these will be finished in the upcoming weeks. Cheers! (Thanks for the ping @danielstravito ) |
January update? |
I'll let at @pitbulk give a longer update, but the migration has happened and these repos are now part of the SAML-Toolkits org. |
I started to provide support to the SAML toolkits. I started with the python-saml and python3-saml repos, continued with the ruby-saml and now Im working on the php-saml toolkit. The java-saml gonna be the next one, but first I need to update and release the php-saml toolkit. Once I clean, reply issues, take care of old PRs, update dependencies and make an official release, the maintenance on all repos will be done in paralel, but there was a lot of work to be done and Im doing it in my spare time that is very limited atm. |
@eriktalvi, correct me if I'm wrong, but it appears that not all of the projects mentioned above have been migrated yet? I am particularly interested in the migration of wordpress-saml, which seems to still be pending migration per @pitbulk's comment this last May. Would it be possible to get an update on this? Thank you for your efforts to allow the continued open-source development of these projects! |
How is the progress with java-saml? |
Looks like @pitbulk moved on from onelogin awhile ago. |
Really late to this, but a little background on OneLogin: OneLogin doesn't have engineers anymore (there's less than 10 people in the engineering side of things these days...probably less than 5 now...and they will be going away as soon as the company can extract knowledge from them). OneLogin was bought out by private equity and everything has been contracted to outside of the company. Opensource libraries were essentially the first thing abandoned once they were acquired (well, except for the employees). There's a single person (@pitbulk) really looking at any repo under this org. I don't know how he does it. After working at OneLogin, my personal desire to code or engineer is completely gone. That company trampled the spirits of a lot of engineers. TLDR - Every project in this org is maintained by one engineer with a full time job and a personal life working for free. If you work for a company utilizing this code, it might be worth telling them to send a paycheck to @pitbulk or @eriktalvi for any critical improvements. Note: Erik is the one that fought for these repos to be handed over to Sixto. Without him, these would have been slowly killed and possibly made private. It took nearly a year to get this done. |
If it took nearly a year to get this in place, why just let it rot now? This background information makes it feel even more destructive what's going on in #395 where people have reached out to help with maintainership only to be met with silence, and empty promises of "I'll look into this RSN". Better try to find some solid names before JiaT75 enters the chat. Broadening the set of co-maintainers doesn't necessarily have to mean handing over the keys to the castle like in the xz case, merely reducing the overall burden. |
@dsvensson Everyone only has so much energy. Vetting someone to take over is not zero work. When it comes to SAML specifically, the potential for things to go wrong is high. I think you're asking the wrong question: Why should the weight of a set of repos, used primarily by companies, with record profits, rest upon the actions of one person for zero compensation? Pressure to give free labor at the expense of one's well being is what enabled the JiaT75 situation. Complaining that the repo is not well maintained enough is literally how JiaT75 got commit rights in the first place. The mental health of opensource contributors is greater than the needs of companies. If they cannot wait for the maintainer to find time, then they either need to compensate said maintainer so they prioritize the efforts OR they need to do the work themselves. The code is open. Nothing is stopping anyone from forking it. |
I completely understand that peoples time and energy is limited, and I certainly understand why the original maintainers would not want to keep working on this. I am not trying to make someone do something they don't want to. I'm simply trying to evaluate if this project is end of life or not, and if it is EOL then I want to see if there is a community to brig it forward. From this exchange it sounds like we are at the end of the road for this repo. I don't have any way of paying contributors to maintain this project. Even if I did, I don't think I could rely heavily on a project that only gets critical updates. I have a vested interest in the java-common-core module, and I no problems justifying spending work hours on that. I will start looking into what a fork would look like under the MIT license and my workplace policies, and weighing the red tape of that vs starting a library from scratch. Are there others that are willing to contribute to either a fork, or this current repo if @pitbulk would be willing to vet us. I just want to stress that I appreciate the effort that has been put into this project, and I'm not trying coerce anyone into doing something that they don't want. |
@haavar, I'm always open to collaborations, but as we saw in the recent XZ Utils issue, I am responsible for the final release and what is pushed. Sadly, it is not that easy to grant 2-3 new maintainers permissions and allow them to take care of the project. The current challenge is that I had no time to review the work done by @markkolich at #395 and find a way to adapt it in a way, that current java projects will keep working after an update. @haavar if you or any can spend time on this task and unblock this part, rest of the work gonna be a matter of fixing some expired payloads used on test, review and merge some pending PRs and do the release. |
Hello everyone, we here at OneLogin wanted to let you know that this project is currently not under active development. We apologize for recent silence and continued wait, but we intend to resume maintenance in the future.
Note that I am unable to make any more changes to this repository, and I don't have someone I can forward you to at this time.
The text was updated successfully, but these errors were encountered: