Magento 1 "End Of Life" and OpenMage

[beejhuff]

I thought I'd open as issue to track discussions on how OpenMage might address the upcoming (November 2018) official end of life that Magento has publicly announced.

There's been scant details released officially, and although Alan Storm has shared a few interesting thoughts, I haven't seen much community discussion about what this might mean for the broader community.

I was curious if the maintainers @LeeSaferite @drobinson @Flyingmana had begun discussing this yet or may have had the chance to get some feedback while at Imagine 2017?

Assuming Magento keeps to it's announced date, we might safely assume that they would no longer be releasing security patches or bugfixes and might no longer be sponsoring their active HackerOne Bug Bounty Program for Magento 1 (thought it would be nice to get that part confirmed).

The bug-fixes are an area this project is already dealing with, but the security fixes (as far as I have been able to tell) in this project have been driven through Magento's SUPEE releases, so I'm curious if any of the active participants here have heard anything from their customers using this lts release that might signify interest in maintaining active development.

[Flyingmana]

I speak here for myself, mostly because I did not talk much about it with the others yet, and because its still a relative long time for me till we reach this point. Also it gives a good point in which direction I would lead this project, if nobody complains about it.

My personal expectation is, that there will be a last release by the end of next Year. Then we either have a clear statement about the roadmap from Magento inc, or not. Either way I expect that everything from then on will not be more then small bug and security fixes. This also means, we can enter a phase of more intensive changes, without fear of to much work integrating new releases from side of Magento Inc.

We then will need to create our own Roadmap. We will have one Version Branch at least for a while with just non breaking changes. But we will also start a new Version (how to handle the version numbers is a complete own discussion topic then) which will apply (minor) breaking changes some people already wishing for years now.

We need to establish a proper security issue reporting mechanism ( I know how to be reachable via gpg encrypted mail, and I should get my key signed a bit more often)

The most critical part will be the process of financing all this stuff. A bit may be possible to gather from several agencies or big shops not able/willing to switch to a different plattform. There may be the possibility to try financing it via gofoundme, kickstarter, patreon or similar. And yes, I would like to maintain this big project, fulltime. But this depends on collecting enough money (or sponsorship) to be able to. It would probably include some kind of partnership with the Meet Magento Association to have someone who is able to provide paid support. Also continuing to have a bug bounty program will cost something, which needs to be paid by someone. Then there is also the question, do we need some kind of legal organization around this project, or would people for now be ok with independent people who maintain this.

Some of the other big first tasks will be to have a real good testing setup, having a proper non hacky integration with composer possible, and a modernized update process. (that alone is worth a kickstarter, so we can have an updater like the wordpress people have. Iam really jealously about this one)

There would be a long term goal for me, and with long term I estimate ~5 years and more. The goal is to reduce the transition cost to Magento2 so far, that a switch is doable for everyone. Or as alternate goal, to modernize the codebase, that something similar to Magento2 :sweat_smile: is the result.

Iam sure I have forgetten some points, but Iam sure the community around this project will help remind me.

[ADDISON74]

Magento 1 is a great piece of software, the best shopping cart I ever used starting my experience long time ago with osCommerce. Those who consider it old they did not evaluate the treasure consisting of articles, true solutions, tons of free and paid extensions, themes, tutorials, books and many more. In any moment I can find something related to my issues for Magento 1.

What Magento 2 is actually offering? I hear a lot of people wanting to upgrade but did they evaluate the opportunities and the cost? A completely different platform adapted to "our days", a few expensive extensions, lack of support, a longer period of accommodating, missing books and tutorials. The only great thing I appreciate is the bug reporting system in Git. It will take around 3 - 4 years to get a complete competitive and powerful switch catching what Magento 1 offers right now. Just take a look there are 2200 issues rise at this moment and this is not easy to manage.

Today Magento 1 is like a person around age of 40, mature. Everything you want from it there is on the market. Abandoning Magento 1 is a bad idea even for security patches, but if you look deeper they abandoned it long time ago about 2 years ago, just offering security patches no more features. I am saying this based on comparisons between the new version and previous. Just see how slow the team reacts to bugs reported in their system. Only the community keeps it alive because it's still the best shopping cart on the market. I hope for good they will not close Magento Connect website where there are over 6000 extensions paid or not.

I found recently Magento-LTS and I will help you posting issues and solutions found in Magento default installation, I hope we will keep this project alive for 5 years.

[colinmollenhour]

I agree with @Flyingmana that security patches are probably one of the most important aspects of the EOL, all of the other stuff is being so neglected that I don't think it can get much worse in the community's hands. However, I'd say the future of M1 as Magento, Inc.'s product is very uncertain and I seriously doubt they will really sunset it completely in 2018.

I would be interested to know how many merchants would take a downgrade path if it was available from M1 EE to M1 CE versus upgrading to M2 EE? If it was a lot that could certainly inject some life into this project and combined with the prospects of "a phase of more intensive changes" I think this project could have a very bright future.

Regarding making this project more like M2, I don't see that as being a good path forward. M2 came both too late and too early to take advantage of some really great technologies.. Case in point, they should have skipped jQuery entirely and gone straight to Angular/React/Vue and (had it existed at the time) skipped the RESTful API entirely and built a GraphQL API (perhaps with a REST wrapper). If you're going to make intensive changes to M1 that's the direction I'd go rather than repeating all of the M2 work. A lot of the biggest pain-points can be fixed with smaller changes (like event observers in the right places and some light BC-breaking refactoring). However, I don't see starting on such intensive changes without a good suite of tests and a CI system in-place. I think contacting some open-source extension authors and asking them to "donate" their extensions as more cleanly integrated core features would be a great place to start. For example Magento should have 2FA out of the box without a doubt so the Magento Hackathon 2FA module would b a perfect candidate.

[sreichel]

I agree with @Flyingmana that security patches are probably one of the most important aspects of the EOL, all of the other stuff is being so neglected that I don't think it can get much worse in the community's hands. However, I'd say the future of M1 as Magento, Inc.'s product is very uncertain and I seriously doubt they will really sunset it completely in 2018.

At least 3 thumbs up for this comment. Fully agree to this! Just wanted to let you know ... now i start my holidays and as sooen i'm back i'll write a comment from user/shopowner (maintainer) perspecitve.

[Flyingmana]

I created an additional Repository for additional organisational topics. First we can have a naming discussion there https://github.com/OpenMage/organizational/issues/1 If there is other stuff which needs its own discussion, create an Issue there. And if you are interested in them, you can watch this repository, so we can keep the notification in the LTS repo a bit more centred around M1 issues and dont spam people unwanted.

[sreichel]

Something to read ... https://magento.com/blog/magento-news/ongoing-magento-1-support

[sreichel]

TBC here: https://github.com/OpenMage/organizational

[mmenozzi]

Hi guys, what's about this old topic? Is there any plan about making OpenMage an organization able to collect (and then fix) M1 security issues after M1 sunset on June 2020?

[ADDISON74]

Migration M1 to M2 is too slow. This is the main reason in M1 Inbox you will get weekly messages about special prices for switching to M2. In my opinion M2 is a powerful piece of software but did not get its maturity. Extensions are still expensive, higher costs to maintain, lack of information. In the last year I played with M2 and its great if you learn too many things.

A golden rule says "Don't fix what isn't broken". I estimate hundreds of thousands stores still using M1 and making money in the next years. Switching to a new version which has a different architecture without knowing the benefits it is not something to like.

The only problem we have with M1 is related to security patches. We all know for years Magento Team did not add new features just releasing SUPER-X. There are many still open issues fixed in other places but not implemented into the official core. A system based on free contribution or donation could keep M1 in a good shape many years from now on. First we need a place where to report and fix security issues. It could be here but I have seriously doubts how many users have the knowledge baggage to discover security holes. A maintain team is also a necessity.

[Flyingmana]

@mmenozzi could you open a dedicated ticket for this topic in https://github.com/OpenMage/organizational/issues ? We already discussed this internally, but having an additional public discussion for this could be useful. (without people asking for such thinks, we cant know what people expect from us)

@ADDISON74 We have a maintainer Team of at least 5 people (actually more, but they are not active here) The ones who make their role public are mentioned in the Readme and composer.json over which you also can contact them directly. I see we should also point this out more prominent, so I started this PullRequest ( https://github.com/OpenMage/magento-lts/pull/878/files ) as a placeholder (need to discuss internally what exactly we want to promote, till then at least I make myself available for this)

Besides this, we also have contact to a few Security professionals of the magento ecosystem and have contact to multiple agencies and even partner with one of the big magento hoster, which enables us to get fast information and good observability of more widespread attacks targeting Magento1.

Additionally there is https://mage-one.com/ for Magento1 (not covering OpenMage, as long as they do not have enough customers asking for it) While they will not give out the patches for free, Iam sure they will still reach us with some delay.(if there is a patch, there is likely an attack, which then can be used to reverse engineer the security Issue)

[mmenozzi]

Done @Flyingmana https://github.com/OpenMage/organizational/issues/13! Let's continue there!

[ADDISON74]

@Flyingmana: Thank you for letting us know. I am glad you already found solutions. One direction is security patches the other ones are related to fix the reported issues found into the code source plus adding small improvements and keeping Magento 1 working with new the distributions of LAMP/LEMP. I fixed a lot of issues into the code over the years some of them reported into the old Magento Bugtracker or Stackexchange/Forums some of them not. I will revise all of them and bring them here. Making a good publicity for this project we can bring anyone interested to continue with M1 here. The are a few advantage in Git always we have an updated version periodically and we can know what is new. I would like to know everyone opinion related to continue M1 here.