Comments (17)
1 required, but with a policy of 2 being the norm - but if we're busy and only 1 can pay attention I think that should be fine.
from jwt.
I'd guess a couple of admins and the rest as org members. repos needing at least 1 approving review before merge as well as CI passing?
Added the 4 folks mentioned in that original issue as org members, and it looks like @oxisto has interest to help here so maybe adding him as a maintainer for this repo?
Do we know what a migration to this org would look like? Are we askin @dgrijalva to transfer ownership?
I'd guess this would auto-migrate anyone using thedgrijalva/jwt-go
import path due to github's redirect? Is that what we want?
Alternatively we can bring all the commits into a new repo here which is more work, and ask @dgrijalva to archive the repo with a notice in the README?
I quite like GitHub redirects, but I'm a bit conflicted because if users are importing github.com/dgrijalva/jwt-go then that is the repo (and source code) they are expecting.
What do others think?
Also this will depend on what original maintainer prefers. I'll ping dgrijalva/jwt-go#462 to see if there is a preference.
Maybe we can open another ticket to figure out how to add module support? Since there might be a new import path via s/'dgrijalva/jwt-go'/'golang-jwt/jwt'
, one alternative is to drop the existing version and tag this repo (and module) as v1.0.0
.. for users this would be a simple change in import paths?
from jwt.
I was hoping there would be some conclusion to dgrijalva/jwt-go#462
It's still up in the air whether @dgrijalva wants this project to:
- continue residing under his account: dgrijalva/jwt-go with external maintainers at the repo level
- maintained via this community effort under golang-jwt/jwt
IMO they are mutually exclusive. Otherwise, we get fragmentation within the ecosystem, and this is never good.
from jwt.
The upstream security fix was merged dgrijalva/jwt-go#429 and the repo has an updated README.
Ideally @dgrijalva would also archive (sunset) the repository, to avoid folks continuing to open issues / PRs against it .. but that's totally his choice.
Going to close this issue. Please feel free to comment on this thread if anything is outstanding.
from jwt.
Another thing to consider is what access to setup on the org/repo. I also do not want to be the sole "admin" and this should be spread among a few people. Based on interactions on various oss projects and blog posts and talks I hope the lot is trustworthy and there is no malicious intent, but this is hard in open-source. Any suggestions welcome.
from jwt.
I'd guess a couple of admins and the rest as org members. repos needing at least 1 approving review before merge as well as CI passing?
Do we know what a migration to this org would look like? Are we askin @dgrijalva to transfer ownership?
I'd guess this would auto-migrate anyone using the dgrijalva/jwt-go
import path due to github's redirect? Is that what we want?
Alternatively we can bring all the commits into a new repo here which is more work, and ask @dgrijalva to archive the repo with a notice in the README?
from jwt.
I'd guess a couple of admins and the rest as org members. repos needing at least 1 approving review before merge as well as CI passing?
Do we know what a migration to this org would look like? Are we askin @dgrijalva to transfer ownership?
I'd guess this would auto-migrate anyone using thedgrijalva/jwt-go
import path due to github's redirect? Is that what we want?
The GH redirect works quite good, I just tested it using a small internal test repo (https://github.com/oxisto/go-httputil). I can still download old versions from the old import path, also the pkg.go.dev site still works (https://pkg.go.dev/github.com/oxisto/go-httputil). It links to the old GitHub repo page, but that is redirected to the new one.
I then change the path in the go.mod
on the new repo and did a 'v2' release on the transferred repo. This one of course only shows up on the new https://pkg.go.dev/github.com/aybaze/go-httputil/v2 site.
The only pain in this case is the switch from "plain" to /v2
module syntax.
Alternatively we can bring all the commits into a new repo here which is more work, and ask @dgrijalva to archive the repo with a notice in the README?
from jwt.
The gerrit model for example works by requiring more than one approval so something like that could work (ceremoniously since github doesn't have flows like that yet). I adher to @mfridman's sentiment, this can't (or shouldn't be at least) be a centralized thing (in the sense of just one or two people). I, for instance, could check PRs and the sort but if my availability is not enough to respond in due time we don't want the repo to go stale again, so another member can hop in and continue the work
The GH redirect works quite good, I just tested it using a small internal test repo (https://github.com/oxisto/go-httputil). I can still download old versions from the old import path, also the pkg.go.dev site still works (https://pkg.go.dev/github.com/oxisto/go-httputil). It links to the old GitHub repo page, but that is redirected to the new one.
I then change the path in the go.modon the new repo and did a 'v2' release on the transferred repo. This one of course only shows up on the new https://pkg.go.dev/github.com/aybaze/go-httputil/v2 site.
The only pain in this case is the switch from "plain" to /v2 module syntax.
Those are good options to know, I suspected that tweaking the mod files was going to be necessary but the github redirect is a feature I was not aware of
from jwt.
I'd guess a couple of admins and the rest as org members. repos needing at least 1 approving review before merge as well as CI passing?
The org should also be public (I guess it is private right now because it is brand new, this is just a reminder)
Do we know what a migration to this org would look like? Are we askin @dgrijalva to transfer ownership?
I'd guess this would auto-migrate anyone using thedgrijalva/jwt-go
import path due to github's redirect? Is that what we want?
Alternatively we can bring all the commits into a new repo here which is more work, and ask @dgrijalva to archive the repo with a notice in the README?
Both options need this blessing/action so I guess it will boil down to whichever he prefers
from jwt.
The gerrit model for example works by requiring more than one approval so something like that could work (ceremoniously since github doesn't have flows like that yet). I adher to @mfridman's sentiment, this can't (or shouldn't be at least) be a centralized thing (in the sense of just one or two people). I, for instance, could check PRs and the sort but if my availability is not enough to respond in due time we don't want the repo to go stale again, so another member can hop in and continue the work
You can do that with the (new) branch protection settings now as well. It has quite extensive rules on how many reviews, who can dismiss reviews, also define a group people who's review is mandatory (through setting them as a code owner) etc. Code owners can also be set to different files, directories. The world is your oyster.
So this is definitely something one should agree on beforehand.
from jwt.
I'd guess a couple of admins and the rest as org members. repos needing at least 1 approving review before merge as well as CI passing?
The org should also be public (I guess it is private right now because it is brand new, this is just a reminder)
@lggomez Could you elaborate on this point? Maybe I missed something..
afaik https://github.com/golang-jwt is a public org, but its up to each "org member" to publicize whether they are part of the org or not.
from jwt.
I just wasn't seeing the organization members before, so I assumed it was private. Sorry if it was not the case
from jwt.
I'd guess a couple of admins and the rest as org members. repos needing at least 1 approving review before merge as well as CI passing?
Added the 4 folks mentioned in that original issue as org members, and it looks like @oxisto has interest to help here so maybe adding him as a maintainer for this repo?
Ah, yes! Sorry for the delayed answer. Feel free to add me as a maintainer directly to the repo, looking forward to help!
from jwt.
The gerrit model for example works by requiring more than one approval so something like that could work (ceremoniously since github doesn't have flows like that yet). I adher to @mfridman's sentiment, this can't (or shouldn't be at least) be a centralized thing (in the sense of just one or two people). I, for instance, could check PRs and the sort but if my availability is not enough to respond in due time we don't want the repo to go stale again, so another member can hop in and continue the work
You can do that with the (new) branch protection settings now as well. It has quite extensive rules on how many reviews, who can dismiss reviews, also define a group people who's review is mandatory (through setting them as a code owner) etc. Code owners can also be set to different files, directories. The world is your oyster.
So this is definitely something one should agree on beforehand.
@mfridman Do you want me to set the branch protection rules so that 2 reviewers are needed? But it seems I am missing the permissions for that. I can set the general merge options, but not the branch protection rules.
from jwt.
@oxisto maybe 1 reviewer is sufficient, but I don't have a strong opinion. Let's see if @Waterdrips @lggomez @ripienaar have thoughts around this ..
Also, is the repo sufficiently setup as a "community" project where access is spread across multiple people and the main concerns have been addressed?
Apologies for the noise as we get things figured out.
from jwt.
I think we can close this? Or do we have anything left over on our bucket list? Does everyone of the "original" four (@ripienaar, @lggomez, @mfridman, @Waterdrips) have all the access they need? As far as I can see, I am not part of the org, but have direct maintainer access to the repo - which is also fine. You can also add me to the org if that makes things more consistent, either way is fine by me.
Some kind of message on the original repo would be nice, but that is up to @dgrijalva.
Apart from that I think we did all we can do on our end?
Update: Would make sense to add @dgrijalva as maintainer to the org / repo as well? In case he decides to come back. Would be a nice gesture I think.
from jwt.
Bump. Keeping an eye on dgrijalva/jwt-go#429 stemmed from this comment dgrijalva/jwt-go#462 (comment).
Once this gets merged and that issue is resolved I'll close this ticket with a status update.
from jwt.
Related Issues (20)
- v5.0.0/request/request.go: with WithLeeway support? HOT 2
- SigningString produces a string without a signature HOT 2
- RSA-PSS (RSASSA-PSS) keys are unusable in Go language
- Let KeyFunc take Context as parameter HOT 3
- Customize the unit of timestamp/exp in payload HOT 1
- ECDSA signature is invalid
- I found an error message "token has invalid claims: token is expired"
- Only some registered claims can be optionally required HOT 1
- I have no RegisteredClaims. I have error key is invalid HOT 4
- Question / FR: Subsequent Verification of an Unverified Token
- Consider validating key length HOT 5
- 希望可以校验token格式 I hope that the token format can be verified HOT 3
- token signature is invalid: signature is invalid HOT 11
- Still trying to understand 'ParseRSAPublicKeyFromPEM' HOT 11
- Documentation around Parse()
- Is it possible to just parse a JWT without verifying its signature? HOT 2
- Permit only certain errors on parsing
- Version v5 not found HOT 2
- which golang-jwt/jwt version can be used when building with golang1.13.8 HOT 1
- Add option to change time precision for creation/parsing tokens. HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwt.