-
-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Statement from the maintainer #576
Comments
Sorry to see your attempts to contribute being treated so rudely by @bluca. His expressions are filled with arrogance and disrespect. Disregarding the existing issue, he continuously using a condescending tone to obstruct your feedback and contributions, and abruptly closed your issue and deleted your repository, instead of trying to communicate and resolve the actual problems with contributors. |
Totally understand your concern and feelings. Together with zeromq/libzmq#4550 , given the fact that no official release is being made for +2 years, this project seems stalled to me. And not welcoming good intentions at all... Not that anyone will care, but most likely I will be moving to nanomsg https://github.com/nanomsg/nng Anyway, thank you very much for your work @aminya |
There are many things that projects guests of this org can do, almost anything as it can be seen from the list of repositories. But there are still some limits. My duty as one of the project leaders is not to make you happy whatever the cost may be, it's to ensure those limits are not overstepped resulting in a security disaster down the line for the project. You were told with extreme clarity and no uncertainty that forking cryptographic primitives inside the org for the sake of convenience was not an OK thing to do, as there are neither cryptographers nor a 24/7 on-call security team available here to do the required maintenance work that would become necessary. You went ahead and you forked a third-party cryptographic library inside the org anyway. So yes, of course I stepped in, and I would do so again in the same situation, as that's my (unpaid) job. Github is a big place, and you are free to expose users to disastrous security incidents from your own personal repositories or from any other org that does not care about security practices and supply chain security, if you wish, so that the responsibility when things inevitably go south lies with you or a third org. Not from this org, though. Due to the total lack of paid engineering resources we are already struggling as it is to keep the lights on, and I'll be damned if I let major, obvious and glaring security malpractices creep in this org for the sake of convenience. And if that upsets you, well, sorry, but the answer is still no. |
Disclaimer: I did not check the language of all posts by @bluca on this issue. However I DO support his statement hereabove. |
Hey @aminya , we can't ask @bluca to change their security policies, but |
As I mentioned on the PR, fixing cmake bugs around static linking is fine. |
Is this package still being maintained? I see it's been >2 months since the last commit. I am not any kind of expert on zmq or libsodium to be commenting much on the context here, but I do believe 2 things:
That said, I appreciate the people maintaining and contributing to this excellent project and I hope it keeps moving forward. |
Interesting divergence to the technical issues in this discussion rather than the main problems I mentioned in this statement.
I have not seen a change in the attitude and behaviour. What I can do is to fork things to my personal account, so people cannot delete the repositories I create, and then I can continue maintaining this. |
@bluca what is your suggestion to get out of this deadlock? |
↓↓↓↓↓↓↓↓↓↓↓
|
Hello @aminya , I recently started using zeromq.js 6.0 and came upon this issue. I just wanted to ask if the commit on November 20th means that this repo is being actively maintained again. It seems like a great project and we really appreciate your contributions 😄 |
I am writing to express my concerns about the recent events that have taken place regarding my work on zeromq.js. As you are aware, I have been working on this library in my free time and have put a lot of effort into making it a success. I tried to support the development of zeromq.js as a library used by millions through huge projects such as VSCode Jupyter integration.
However, I have recently experienced some issues with the way that my work has been treated. Specifically, my repositories were deleted without my knowledge and I have been treated with unprofessional behaviour. This has left me feeling disrespected and unappreciated.
I believe that it is the responsibility of @zeromq/core to ensure that all community members are treated with respect and professionalism. Unfortunately, I do not feel that this has been the case in my interactions with libzmq. If this is not possible, I will be forced to reconsider my involvement with zeromq.js.
Thank you all for your attention to this matter.
More Context:
zeromq/libzmq#4562 (comment)
zeromq/libzmq#4484 (comment)
The text was updated successfully, but these errors were encountered: