Current status of this repo #45
Comments
|
It would be great if this could become a community project. I'm happy to help out and share maintenance. @Wesseldr @jedrivisser what do you think? |
|
I made some fixes that I tried to merge in a while ago and used for personal projects, but I have not used this library in a while. |
|
@jedrivisser are you using a different library or moved away from WebAuthn? |
|
@apowers313 would you be open to letting someone else maintain this project, and/or putting it under a separate organisation? |
I moved away. But feel free to ask if some of the changes I made are not clear |
|
When was the last time anyone had any contact with @apowers313 Seems he hasn't been on GitHub this year, looking at his profile, may be worth sending him an email. |
|
I sent him an email today, hopefully he gets back to me soon |
|
Otherwise could we maybe move this into a non-profit account and use that one as active fork? It would be great to use all the new developments and allow bugfixes, instead of having to resort to patching libraries. |
|
Great Idea, How about |
|
Feel free to suggest any organizational changes (Will need to update readme to credit @apowers313 and outline reasons for the repo/org existing) but here we go: https://github.com/FIDO-Tools/fido2-lib |
|
Hm that is not really what I imagined when talking about a non-profit org, because it is very intransparent who owns the organization and we are talking about a vital security part. It would be great if you could make it more transparent. We will also need to connect it back to travis and make it available on npm, as well as merging all relevant PRs in the fork. I will do some playing with my fork and see if all works out. |
|
I've done all of it here (publish to npm, rewrite pages, set up CD etc) and will merge all good PRs from here then: https://github.com/jamescullum/fido2-lib |
|
Thank You James! Great work!, |
|
They used to havea list of reference implementations, but I don't find that page and link to this library anymore. Do you have it somewhere? I will google for other references to this library and ask them. |
|
Great work, The reason I think its best placed in an organization is that maintainers can come and go with very little changes, and I agree, at-least shoot the FIDO Alliance an email, (anyone wants to do it? I don't mind doing it otherwise) |
|
I agree that an organization is a good approach, but it should be a real organization, not just one on Github, so that there is credibility behind it and people can use it for their projects without worrying about opening themselves up to a supply chain attack. I wasn't able to find a good contact for the FIDO Alliance, so you're more than welcome to shoot the email :) |
|
@JamesCullum As you mentioned transparency, I believe it's fully transparent, just see https://github.com/orgs/FIDO-Tools/people also an org is not tied to an account. |
|
@JamesCullum If you don't mind on elaborating on "real orginization", not quite sure what you think this would entail |
|
I mean something like the FIDO Alliance or OWASP - a real organization, a legal entity. Someone who can manage maintainers for a long time and with a sincere goal. Of course your Github organization shows you behind it, but as it's not clear who that exactly is, an org would make more sense for me. |
|
That would be great, however a few issues I see: Secondly, that approach seems heavy handed and would require much more discussion and fleshing out, positioning any work that could be being done on the repo. And personally I don't believe there needs to be another organization providing a service like this, but that's only my take on it. |
|
I don't really mean the org managing it in a big way, but the org taking responsibility for assigning and checking maintainers (OWASP does it this way, for example). I agree with your points - hence until then, my fork could be sufficient. However when we talk about a future-proof solution, where no single anonymous person is in control of it, there won't be a way around having an org manage it. |
|
Don't mean to be rude, but I think that the github org I created fulfills that, we outline a few admins and if the time comes when people have moved on new maintainers can be brought in, the org is not tied to my account in any way like your fork is, so I believe using the org I created is best (I sent you an invite) |
|
may be easy to do it this way: https://help.github.jp/enterprise/2.11/user/articles/transferring-a-repository-owned-by-your-personal-account/ |
|
Hmm I worry a bit about the accountability and security behind such an anonymous organization, but we can give it a shot. If you delete your fork, I will move mine there and we set up the org as good as possible. |
|
Hey y'all, sorry I've been neglecting this for so long. As a bit of background, I was working for FIDO when I started this project and then I was going to start a consulting company (WebAuthn Consulting). As I was trying to convince Amazon to be one of my first customers, they convinced me to come work for them instead and they have kept me plenty busy since then. I have totally been ignoring this repo and I didn't realize it had this much traction. I would be happy to add collaborators to this collection of projects and grant access to the webauthn.org domain. Let me know if anyone interested or if you guys have already figured out how to work around my lack of care and feeding. :) |
|
Hey @apowers313 - great to hear back from you! We could either add maintainers to this project or move it into an organization, which would have less impact for your account. Which way would you prefer? |
|
I agree with @JamesCullum Since there a few repos, having them all in one place would be great. |
|
@apowers313 I've invited you into the org - if you can move your package there we can take care of pushing all updates there. I've also invited you to the npm org - if you grant the org permission write, we can manage that part as well. |
|
Thanks, I'll work on transferring over packages tonight. Do you want all of them, or just this one? |
|
I think all of them, as there's certainly quite a few that are closely related and need maintaining |
|
Sorry, I don't see the organization invite... which organization is it? |
|
Just use the org you just created, there was nothing much in place yet anyway, set up up how you want and we'll go from there |
|
Up and running: https://github.com/webauthn-open-source Anyone that's interested in joining should ping me. I think I transferred over all the interesting / real projects. I had some Polymer / web component stuff and half-finished authenticator code. Let me know if that's of any interest, or if it would just junk up the organization. I also transferred over the WebAuthn logos (which I hear have been used by W3C) and a little project with a graphic of the status of platform adoption. FIDO Alliance bugs me from time to time to update it. ;) If you see any of my other repos that I should transfer over, just let me know. I'm not sure if transferring repos will break TravisCI. I can help you guys get it back up and running with the new org if it ends up being broken. Also happy to point webauthn.org at a server if someone feels like setting it up and maintaining it. If there's anything else, or if you have questions about the code architecture or design patterns, please let me know. :) |
|
What about the npm org? I've created a team inside the org to discuss all details there |
|
Hi there! Just found this issue and I think it would be interesting to show my interest here. I am a final year CS student doing my dissertation on WebAuthn and I am using this library to build a tool for debugging authenticators. I can offer my modest experience and give a hand by contributing to the project. I'm looking forward to see a nice community around this! Of course, as @JamesCullum asks, it would be interesting to link it with npm org, and find some maintainers for this. I would also really appreciate any feedback/help with my dissertation. |
|
Hey! I'm currently using the npm packet I found one published 5 months ago: https://www.npmjs.com/package/fido2-lib-node. Do you know any alternative to this? @JamesCullum |
|
@martinord Sadly @apowers313 did not complete any handover - he did not give us access to npm or gave us write permission to any repository. My fork was moved to another org and after being accidently deleted twice by another member lost the links to the comments I've made here. However I am currently using and will be using and maintaining my fork until this one is maintained again. You can find it here: https://github.com/FIDO-Tools/fido2-library It has most PRs integrated and is fully tested and integrated with npm. |
|
@JamesCullum Oh I see. Then I will consider using your fork then, hope in Adam comes back to give permissions so all the efforts can be united. I was thinking on doing a PR, should I do it on your fork or here? |
|
I think its the best if you create a fork of this repository, add your changes and create a PR for both. One time the effort, but your changes can be integrated in both cases :) |
|
@apowers313 any updates on your plans if any to add other maintainers? |
|
In case anyone's interested, I've been working on an alternative: https://github.com/davedoesdev/webauthn4js I'd welcome your feedback. No doubt it needs some work but I thought I'd mention it in case it's of any use to someone. |
He added other maintaoners, but didn't grant us any permissions. The maintained fork is available here: https://github.com/FIDO-Tools/fido2-library |
|
I can add some more this afternoon and grant others permissions. Who should I add and who should I give the right to add more? |
|
Thanks - we can keep it like this for now and can add people for specific parts down the road. I will go through this repository later on, but we still have the issue with the npm connection - even a maintained repository will not update the real package. @apowers313 can you provide us inside the team with access to the npm package? I've added on Travis already the environment variable with a placeholder - you will only need to add a valid token. If you need help, feel free to contact me directly. |
|
Hello! What is the difference and status of this repository, versus https://www.npmjs.com/package/fido2-library? I see that the latter is both ahead and behind commits from the forked origin. |
|
Hey @JayHelton, the fido2-library represents the code of the fork, which used to be the only way to receive updates as there was no maintenance possible in this repository. As I was finally given permission to merge changes here, I was able to merge most changes back to here and implement most things. However as @apowers313 has not shared any access to npm, the package associated with this code has not been updated. This means that the code in the repositories is the same, but on npm the package of this repository (as you can see in the README) is not updated and still contains vulnerabilities etc. The code differences are mostly due to different orders and to provide an npm package and maintain healthy links inside a fork. |
|
Happy to transfer over the npm. Want to spin up a new group to own it or something? |
|
Hey @apowers313, I would leave it as it is - will just need the npm token for deployment. |
|
Hi there! Any updates on this? @JamesCullum are you already able to update the npm |
|
No worries - once I am provided access to the npm repository, I will publish it everywhere. However so far there has been no progress in granting access to the package. |
|
@JamesCullum what's your npm username so that I can add you as a maintainer? |
|
@apowers313 My npm username is |
|
Hi! Any updates on this? |
|
Sadly none, I still don't have access to the npm package. |
This comment has been minimized.
This comment has been minimized.
|
Just noticed that I do actually have access in npm. Will try to update the code here again to be at the same code state as fork. |
I recently stared using this repo, however it seems the be stale, there are many open PR's solving various issues, @apowers313 is there any chance some of these can be merged, or could someone be appointed to manage this repo?
The text was updated successfully, but these errors were encountered: