Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Current status of this repo #45

Closed
sachaw opened this issue Feb 27, 2020 · 56 comments
Closed

Current status of this repo #45

sachaw opened this issue Feb 27, 2020 · 56 comments
Labels

Comments

@sachaw
Copy link

sachaw commented Feb 27, 2020

I recently stared using this repo, however it seems the be stale, there are many open PR's solving various issues, @apowers313 is there any chance some of these can be merged, or could someone be appointed to manage this repo?

@davedoesdev
Copy link

It would be great if this could become a community project. I'm happy to help out and share maintenance. @Wesseldr @jedrivisser what do you think?

@jedrivisser
Copy link
Contributor

I made some fixes that I tried to merge in a while ago and used for personal projects, but I have not used this library in a while.

@davedoesdev
Copy link

@jedrivisser are you using a different library or moved away from WebAuthn?

@davedoesdev
Copy link

@apowers313 would you be open to letting someone else maintain this project, and/or putting it under a separate organisation?

@jedrivisser
Copy link
Contributor

@jedrivisser are you using a different library or moved away from WebAuthn?

I moved away. But feel free to ask if some of the changes I made are not clear

@sachaw
Copy link
Author

sachaw commented Mar 10, 2020

When was the last time anyone had any contact with @apowers313 Seems he hasn't been on GitHub this year, looking at his profile, may be worth sending him an email.

@sachaw
Copy link
Author

sachaw commented Apr 7, 2020

I sent him an email today, hopefully he gets back to me soon

@JamesCullum
Copy link
Member

Otherwise could we maybe move this into a non-profit account and use that one as active fork? It would be great to use all the new developments and allow bugfixes, instead of having to resort to patching libraries.

@sachaw
Copy link
Author

sachaw commented Apr 14, 2020

Great Idea, How about FIDO-Tools

@sachaw
Copy link
Author

sachaw commented Apr 14, 2020

Feel free to suggest any organizational changes (Will need to update readme to credit @apowers313 and outline reasons for the repo/org existing) but here we go: https://github.com/FIDO-Tools/fido2-lib
have contacted GitHub to get the fork dependency removed: (how is this still a requirement in 2020)

@JamesCullum
Copy link
Member

JamesCullum commented Apr 14, 2020

Hm that is not really what I imagined when talking about a non-profit org, because it is very intransparent who owns the organization and we are talking about a vital security part. It would be great if you could make it more transparent.

We will also need to connect it back to travis and make it available on npm, as well as merging all relevant PRs in the fork. I will do some playing with my fork and see if all works out.

@JamesCullum
Copy link
Member

I've done all of it here (publish to npm, rewrite pages, set up CD etc) and will merge all good PRs from here then: https://github.com/jamescullum/fido2-lib

@Wesseldr
Copy link
Contributor

Wesseldr commented Apr 14, 2020

Thank You James! Great work!,
Might be good to send the https://fidoalliance.org/fido2/ an email as well that there is a new initiative to revived this library and if they could update the links as well. Apowers use to be a member there as well if I'm not mistaken, not sure who took his place there but he is far to busy right now working for Amazon.. But still... big credits to him for the work that he has done on this library 👍 Thank you!!!

@JamesCullum
Copy link
Member

They used to havea list of reference implementations, but I don't find that page and link to this library anymore. Do you have it somewhere? I will google for other references to this library and ask them.

@sachaw
Copy link
Author

sachaw commented Apr 14, 2020

Great work, The reason I think its best placed in an organization is that maintainers can come and go with very little changes, and I agree, at-least shoot the FIDO Alliance an email, (anyone wants to do it? I don't mind doing it otherwise)

@JamesCullum
Copy link
Member

I agree that an organization is a good approach, but it should be a real organization, not just one on Github, so that there is credibility behind it and people can use it for their projects without worrying about opening themselves up to a supply chain attack.

I wasn't able to find a good contact for the FIDO Alliance, so you're more than welcome to shoot the email :)

@sachaw
Copy link
Author

sachaw commented Apr 14, 2020

@JamesCullum As you mentioned transparency, I believe it's fully transparent, just see https://github.com/orgs/FIDO-Tools/people also an org is not tied to an account.

@sachaw
Copy link
Author

sachaw commented Apr 14, 2020

@JamesCullum If you don't mind on elaborating on "real orginization", not quite sure what you think this would entail

@JamesCullum
Copy link
Member

I mean something like the FIDO Alliance or OWASP - a real organization, a legal entity. Someone who can manage maintainers for a long time and with a sincere goal.

Of course your Github organization shows you behind it, but as it's not clear who that exactly is, an org would make more sense for me.

@sachaw
Copy link
Author

sachaw commented Apr 14, 2020

That would be great, however a few issues I see:
Firstly, as of right now, this is only to maintain one package, and may not extend past that, as such that stance may be "overkill".

Secondly, that approach seems heavy handed and would require much more discussion and fleshing out, positioning any work that could be being done on the repo.

And personally I don't believe there needs to be another organization providing a service like this, but that's only my take on it.

@JamesCullum
Copy link
Member

I don't really mean the org managing it in a big way, but the org taking responsibility for assigning and checking maintainers (OWASP does it this way, for example). I agree with your points - hence until then, my fork could be sufficient.

However when we talk about a future-proof solution, where no single anonymous person is in control of it, there won't be a way around having an org manage it.

@sachaw
Copy link
Author

sachaw commented Apr 14, 2020

Don't mean to be rude, but I think that the github org I created fulfills that, we outline a few admins and if the time comes when people have moved on new maintainers can be brought in, the org is not tied to my account in any way like your fork is, so I believe using the org I created is best (I sent you an invite)

@sachaw
Copy link
Author

sachaw commented Apr 14, 2020

may be easy to do it this way: https://help.github.jp/enterprise/2.11/user/articles/transferring-a-repository-owned-by-your-personal-account/
let me know and I can delete the existing fork

@JamesCullum
Copy link
Member

Hmm I worry a bit about the accountability and security behind such an anonymous organization, but we can give it a shot. If you delete your fork, I will move mine there and we set up the org as good as possible.

@apowers313
Copy link
Collaborator

apowers313 commented Apr 14, 2020

Hey y'all, sorry I've been neglecting this for so long. As a bit of background, I was working for FIDO when I started this project and then I was going to start a consulting company (WebAuthn Consulting). As I was trying to convince Amazon to be one of my first customers, they convinced me to come work for them instead and they have kept me plenty busy since then.

I have totally been ignoring this repo and I didn't realize it had this much traction. I would be happy to add collaborators to this collection of projects and grant access to the webauthn.org domain. Let me know if anyone interested or if you guys have already figured out how to work around my lack of care and feeding. :)

@JamesCullum
Copy link
Member

Hey @apowers313 - great to hear back from you! We could either add maintainers to this project or move it into an organization, which would have less impact for your account. Which way would you prefer?

@sachaw
Copy link
Author

sachaw commented Apr 14, 2020

I agree with @JamesCullum Since there a few repos, having them all in one place would be great.

@JamesCullum
Copy link
Member

JamesCullum commented Apr 15, 2020

@apowers313 I've invited you into the org - if you can move your package there we can take care of pushing all updates there. I've also invited you to the npm org - if you grant the org permission write, we can manage that part as well.

@apowers313
Copy link
Collaborator

Thanks, I'll work on transferring over packages tonight. Do you want all of them, or just this one?

@sachaw
Copy link
Author

sachaw commented Apr 17, 2020

I think all of them, as there's certainly quite a few that are closely related and need maintaining

@apowers313
Copy link
Collaborator

Sorry, I don't see the organization invite... which organization is it?

@sachaw
Copy link
Author

sachaw commented Apr 18, 2020

Just use the org you just created, there was nothing much in place yet anyway, set up up how you want and we'll go from there

@apowers313
Copy link
Collaborator

Up and running: https://github.com/webauthn-open-source

Anyone that's interested in joining should ping me.

I think I transferred over all the interesting / real projects. I had some Polymer / web component stuff and half-finished authenticator code. Let me know if that's of any interest, or if it would just junk up the organization.

I also transferred over the WebAuthn logos (which I hear have been used by W3C) and a little project with a graphic of the status of platform adoption. FIDO Alliance bugs me from time to time to update it. ;)

If you see any of my other repos that I should transfer over, just let me know.

I'm not sure if transferring repos will break TravisCI. I can help you guys get it back up and running with the new org if it ends up being broken.

Also happy to point webauthn.org at a server if someone feels like setting it up and maintaining it.

If there's anything else, or if you have questions about the code architecture or design patterns, please let me know. :)

@JamesCullum
Copy link
Member

JamesCullum commented Apr 18, 2020

What about the npm org?

I've created a team inside the org to discuss all details there

@martinord
Copy link
Contributor

Hi there!

Just found this issue and I think it would be interesting to show my interest here. I am a final year CS student doing my dissertation on WebAuthn and I am using this library to build a tool for debugging authenticators.

I can offer my modest experience and give a hand by contributing to the project. I'm looking forward to see a nice community around this! Of course, as @JamesCullum asks, it would be interesting to link it with npm org, and find some maintainers for this.

I would also really appreciate any feedback/help with my dissertation.

@martinord
Copy link
Contributor

Hey!

I'm currently using the npm packet fido2-lib and seems to be an older version than the project here. How can we get this package updated? Did the org get transferred @apowers313 ?

I found one published 5 months ago: https://www.npmjs.com/package/fido2-lib-node. Do you know any alternative to this? @JamesCullum

@JamesCullum
Copy link
Member

JamesCullum commented Jun 1, 2020

@martinord Sadly @apowers313 did not complete any handover - he did not give us access to npm or gave us write permission to any repository.

My fork was moved to another org and after being accidently deleted twice by another member lost the links to the comments I've made here. However I am currently using and will be using and maintaining my fork until this one is maintained again. You can find it here: https://github.com/FIDO-Tools/fido2-library

It has most PRs integrated and is fully tested and integrated with npm.

@martinord
Copy link
Contributor

@JamesCullum Oh I see. Then I will consider using your fork then, hope in Adam comes back to give permissions so all the efforts can be united.

I was thinking on doing a PR, should I do it on your fork or here?

@JamesCullum
Copy link
Member

I think its the best if you create a fork of this repository, add your changes and create a PR for both. One time the effort, but your changes can be integrated in both cases :)

@rmhrisk
Copy link

rmhrisk commented Jun 26, 2020

@apowers313 any updates on your plans if any to add other maintainers?

@davedoesdev
Copy link

In case anyone's interested, I've been working on an alternative: https://github.com/davedoesdev/webauthn4js

I'd welcome your feedback. No doubt it needs some work but I thought I'd mention it in case it's of any use to someone.

@JamesCullum
Copy link
Member

@apowers313 any updates on your plans if any to add other maintainers?

He added other maintaoners, but didn't grant us any permissions. The maintained fork is available here: https://github.com/FIDO-Tools/fido2-library

@apowers313
Copy link
Collaborator

I can add some more this afternoon and grant others permissions. Who should I add and who should I give the right to add more?

@JamesCullum
Copy link
Member

JamesCullum commented Nov 29, 2020

Thanks - we can keep it like this for now and can add people for specific parts down the road. I will go through this repository later on, but we still have the issue with the npm connection - even a maintained repository will not update the real package.

@apowers313 can you provide us inside the team with access to the npm package? I've added on Travis already the environment variable with a placeholder - you will only need to add a valid token. If you need help, feel free to contact me directly.

@JayHelton
Copy link

Hello! What is the difference and status of this repository, versus https://www.npmjs.com/package/fido2-library?

I see that the latter is both ahead and behind commits from the forked origin.

@JamesCullum

@JamesCullum
Copy link
Member

Hey @JayHelton, the fido2-library represents the code of the fork, which used to be the only way to receive updates as there was no maintenance possible in this repository. As I was finally given permission to merge changes here, I was able to merge most changes back to here and implement most things.

However as @apowers313 has not shared any access to npm, the package associated with this code has not been updated. This means that the code in the repositories is the same, but on npm the package of this repository (as you can see in the README) is not updated and still contains vulnerabilities etc.

The code differences are mostly due to different orders and to provide an npm package and maintain healthy links inside a fork.

@apowers313
Copy link
Collaborator

Happy to transfer over the npm. Want to spin up a new group to own it or something?

@JamesCullum
Copy link
Member

Hey @apowers313, I would leave it as it is - will just need the npm token for deployment.
If you could mail it to me or set it yourself in Travis, both is fine 👍

@martinord
Copy link
Contributor

Hi there! Any updates on this? @JamesCullum are you already able to update the npm fido2-lib? If so, you may update the README. I'd like to know the status so I can switch back to this maintained repo and npm packet. Thanks

@JamesCullum
Copy link
Member

No worries - once I am provided access to the npm repository, I will publish it everywhere. However so far there has been no progress in granting access to the package.

@apowers313
Copy link
Collaborator

@JamesCullum what's your npm username so that I can add you as a maintainer?

@JamesCullum
Copy link
Member

@apowers313 My npm username is jamescullum

@martinord
Copy link
Contributor

Hi! Any updates on this?

@JamesCullum
Copy link
Member

Sadly none, I still don't have access to the npm package.

@sachaw

This comment has been minimized.

@JamesCullum
Copy link
Member

Just noticed that I do actually have access in npm. Will try to update the code here again to be at the same code state as fork.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

9 participants