Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Statement from the maintainer #576

Closed
aminya opened this issue Jun 25, 2023 · 11 comments · Fixed by #665
Closed

Statement from the maintainer #576

aminya opened this issue Jun 25, 2023 · 11 comments · Fixed by #665

Comments

@aminya
Copy link
Member

aminya commented Jun 25, 2023

I am writing to express my concerns about the recent events that have taken place regarding my work on zeromq.js. As you are aware, I have been working on this library in my free time and have put a lot of effort into making it a success. I tried to support the development of zeromq.js as a library used by millions through huge projects such as VSCode Jupyter integration.

However, I have recently experienced some issues with the way that my work has been treated. Specifically, my repositories were deleted without my knowledge and I have been treated with unprofessional behaviour. This has left me feeling disrespected and unappreciated.

I believe that it is the responsibility of @zeromq/core to ensure that all community members are treated with respect and professionalism. Unfortunately, I do not feel that this has been the case in my interactions with libzmq. If this is not possible, I will be forced to reconsider my involvement with zeromq.js.
Thank you all for your attention to this matter.

More Context:
zeromq/libzmq#4562 (comment)
zeromq/libzmq#4484 (comment)

@crimx
Copy link

crimx commented Jun 25, 2023

Sorry to see your attempts to contribute being treated so rudely by @bluca. His expressions are filled with arrogance and disrespect. Disregarding the existing issue, he continuously using a condescending tone to obstruct your feedback and contributions, and abruptly closed your issue and deleted your repository, instead of trying to communicate and resolve the actual problems with contributors.

@Bartel-C8
Copy link
Contributor

Totally understand your concern and feelings.
I was following the conversations and had the same thought.

Together with zeromq/libzmq#4550 , given the fact that no official release is being made for +2 years, this project seems stalled to me. And not welcoming good intentions at all...

Not that anyone will care, but most likely I will be moving to nanomsg https://github.com/nanomsg/nng

Anyway, thank you very much for your work @aminya

@bluca
Copy link
Member

bluca commented Jun 25, 2023

There are many things that projects guests of this org can do, almost anything as it can be seen from the list of repositories. But there are still some limits. My duty as one of the project leaders is not to make you happy whatever the cost may be, it's to ensure those limits are not overstepped resulting in a security disaster down the line for the project.

You were told with extreme clarity and no uncertainty that forking cryptographic primitives inside the org for the sake of convenience was not an OK thing to do, as there are neither cryptographers nor a 24/7 on-call security team available here to do the required maintenance work that would become necessary.

You went ahead and you forked a third-party cryptographic library inside the org anyway. So yes, of course I stepped in, and I would do so again in the same situation, as that's my (unpaid) job.

Github is a big place, and you are free to expose users to disastrous security incidents from your own personal repositories or from any other org that does not care about security practices and supply chain security, if you wish, so that the responsibility when things inevitably go south lies with you or a third org. Not from this org, though.

Due to the total lack of paid engineering resources we are already struggling as it is to keep the lights on, and I'll be damned if I let major, obvious and glaring security malpractices creep in this org for the sake of convenience. And if that upsets you, well, sorry, but the answer is still no.

@gotcha
Copy link

gotcha commented Jun 26, 2023

Disclaimer: I did not check the language of all posts by @bluca on this issue.

However I DO support his statement hereabove.

@n-riesco
Copy link
Contributor

Hey @aminya ,

we can't ask @bluca to change their security policies, but zeromq.js's security standards are lower (e.g. for many years, we've distributed a precompiled libzmq for windows). Couldn't we do something similar and have the patch required to statically link libsodium distributed in zeromq.js?

@bluca
Copy link
Member

bluca commented Jun 29, 2023

As I mentioned on the PR, fixing cmake bugs around static linking is fine.
The key is that someone else, not the org, provides the actual crypto primitives code, so that it's on them to maintain it and support it when it inevitably needs security maintenance, and not on this org.

@sangaman
Copy link

Is this package still being maintained? I see it's been >2 months since the last commit.

I am not any kind of expert on zmq or libsodium to be commenting much on the context here, but I do believe 2 things:

  1. Both libzmq and this zeromq.js package ought to be very conservative about working with cryptographic libraries and primitives, and should not be directly responsible for maintaining them.

  2. Maintainers ought to be patient and understanding with each other. We all have the same goals here, disagreements about the best way to achieve those goals are normal and shouldn't result in deadlocks. A lot of people are putting in a lot of time and effort in exchange for no money, so the least they deserve is patience and appreciation and of course that goes both ways.

That said, I appreciate the people maintaining and contributing to this excellent project and I hope it keeps moving forward.

@aminya
Copy link
Member Author

aminya commented Sep 13, 2023

Interesting divergence to the technical issues in this discussion rather than the main problems I mentioned in this statement.

Is this package still being maintained?

I have not seen a change in the attitude and behaviour. What I can do is to fork things to my personal account, so people cannot delete the repositories I create, and then I can continue maintaining this.

@aminya aminya pinned this issue Sep 13, 2023
@farzadpanahi
Copy link

@bluca what is your suggestion to get out of this deadlock?

@bluca
Copy link
Member

bluca commented Sep 27, 2023

@bluca what is your suggestion to get out of this deadlock?

↓↓↓↓↓↓↓↓↓↓↓

As I mentioned on the PR, fixing cmake bugs around static linking is fine. The key is that someone else, not the org, provides the actual crypto primitives code, so that it's on them to maintain it and support it when it inevitably needs security maintenance, and not on this org.

@WolffRuoff
Copy link

Hello @aminya , I recently started using zeromq.js 6.0 and came upon this issue. I just wanted to ask if the commit on November 20th means that this repo is being actively maintained again. It seems like a great project and we really appreciate your contributions 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants