SAML-Toolkits / java-saml

Java SAML toolkit
MIT License
634 stars 398 forks source link

This project is currently not under active development #388

Open bzvestey opened 2 years ago

bzvestey commented 2 years ago

Hello everyone, we here at OneLogin wanted to let you know that this project is currently not under active development. We apologize for recent silence and continued wait, but we intend to resume maintenance in the future.

Note that I am unable to make any more changes to this repository, and I don't have someone I can forward you to at this time.

mauromol commented 2 years ago

Two proposals from me:

  1. may I become a committer to maintain this project, although on a voluntary basis and with no warranty at all with regards to time and features?
  2. as an alternative, if I were to create a somewhat long term fork of this project, can I continue to use onelogin names in one or more of these locations:
    1. package names
    2. preferences names
    3. Maven artifact names (e.g. group id)
    4. anything else I cannot think of right now?

By the way, is @eriktalvi involved in this project any more?

haavar commented 2 years ago

@mauromol I would also be interested in taking over maintenance of this project. I was considering making a fork for my own purpose or maybe writing one from scratch that suits my needs, but neither one of those options are obviously not ideal.

Depending on onelogin's stand on this, we could start a new fork without any onelogin references. I don't think the migration for any clients using this would be too cumbersome.

I can commit a fair bit of time to this, as the alternative would pretty much mean writing my own.

pitbulk commented 2 years ago

Hi @mauromol,

Im also considering to fork all SAML repos and try at least to give them critical support/maintenance, not only the java-saml one.

I will try to contact someone at OneLogin to see if that gonna be possible.

mrmoss commented 2 years ago

Hi all - Engineer at OneLogin here. Starting the process to get these all transferred over to @pitbulk. Not sure how long it will take, but since they are already opensource, I don't see how they can be against it...

mauromol commented 2 years ago

Thanks for the news and thanks @pitbulk for stepping up. I hope the transition for this project will be quick.

kleptog commented 2 years ago

How's it going with the transfer? And does this include the rights to update the packages on PyPi?

eriktalvi commented 2 years ago

Development Update. OneLogin is releasing these projects to a new organization with @pitbulk. This migration is actively happening and the priority is to make the transition as seamless as possible for end users of these repo/packages.

We expect that there are several questions that you all have and we are working with @pitbulk to answer those in our next update. Below are some answers we have for you now.

What is being changed? The repos/packages will no longer be officially supported and hosted by OneLogin. This means that they will not be in the OneLogin Github org but in a new org, SAML Tools. References to the repos being provided and supported by OneLogin Inc will be removed.

Which projects are being moved? All SAML repos will be moved. This includes: java-saml, python3-saml, wordpress-saml, moodle-saml, joomla-saml, drupal-saml, and dotnet-saml

When will this transfer happen? We expect this to be completed by the end of the year, Dec 31 2022.

Why is this transfer happening? OneLogin is releasing control of these open source repos so that these repos can maintained by community instead.

When will the next update be? To keep you all informed of status, we will give monthly updates of how the transfer is proceeding.

danielstravito commented 1 year ago

December ping :)

eriktalvi commented 1 year ago

Development Update. Although it may not seem like it, the last month had a lot of progress and the primary SAML Toolkit repos and packages have been transferred from OneLogin to this new SAML Toolkit Org.

@pitbulk now has all the access needed to maintain these toolkits and will be providing his own update.

There has been a lot of pent up demand for support on these repos and now that this transfer is finished you should expect to see a lot more progress on that!

There are still four repos (wordpress-saml, moodle-saml, joomla-saml, drupal-saml) left to transfer and these will be finished in the upcoming weeks.

Cheers!

(Thanks for the ping @danielstravito )

eyalyatir commented 1 year ago

January update?

eriktalvi commented 1 year ago

I'll let at @pitbulk give a longer update, but the migration has happened and these repos are now part of the SAML-Toolkits org.

pitbulk commented 1 year ago

@eyalyatir , @danielstravito

I started to provide support to the SAML toolkits.

I started with the python-saml and python3-saml repos, continued with the ruby-saml and now Im working on the php-saml toolkit. The java-saml gonna be the next one, but first I need to update and release the php-saml toolkit.

Once I clean, reply issues, take care of old PRs, update dependencies and make an official release, the maintenance on all repos will be done in paralel, but there was a lot of work to be done and Im doing it in my spare time that is very limited atm. Doing my best, :)

danieltaylor commented 1 year ago

@eriktalvi, correct me if I'm wrong, but it appears that not all of the projects mentioned above have been migrated yet? I am particularly interested in the migration of wordpress-saml, which seems to still be pending migration per @pitbulk's comment this last May. Would it be possible to get an update on this?

Thank you for your efforts to allow the continued open-source development of these projects!

sebastianmichalski commented 11 months ago

How is the progress with java-saml?

coffeebeantraining commented 9 months ago

How is the progress with java-saml?

Looks like @pitbulk moved on from onelogin awhile ago. https://www.linkedin.com/in/sixtomartin/?locale=en_US I also am needing a Jakarta version since we're operating with TomEE instead of Tomcat.

mrmoss commented 7 months ago

How is the progress with java-saml?

Looks like @pitbulk moved on from onelogin awhile ago. https://www.linkedin.com/in/sixtomartin/?locale=en_US I also am needing a Jakarta version since we're operating with TomEE instead of Tomcat.

Really late to this, but a little background on OneLogin: OneLogin doesn't have engineers anymore (there's less than 10 people in the engineering side of things these days...probably less than 5 now...and they will be going away as soon as the company can extract knowledge from them). OneLogin was bought out by private equity and everything has been contracted to outside of the company. Opensource libraries were essentially the first thing abandoned once they were acquired (well, except for the employees).

There's a single person (@pitbulk) really looking at any repo under this org. I don't know how he does it. After working at OneLogin, my personal desire to code or engineer is completely gone. That company trampled the spirits of a lot of engineers.

TLDR - Every project in this org is maintained by one engineer with a full time job and a personal life working for free.

If you work for a company utilizing this code, it might be worth telling them to send a paycheck to @pitbulk or @eriktalvi for any critical improvements.

Note: Erik is the one that fought for these repos to be handed over to Sixto. Without him, these would have been slowly killed and possibly made private. It took nearly a year to get this done.

dsvensson commented 7 months ago

If it took nearly a year to get this in place, why just let it rot now? This background information makes it feel even more destructive what's going on in https://github.com/SAML-Toolkits/java-saml/pull/395 where people have reached out to help with maintainership only to be met with silence, and empty promises of "I'll look into this RSN". Better try to find some solid names before JiaT75 enters the chat.

Broadening the set of co-maintainers doesn't necessarily have to mean handing over the keys to the castle like in the xz case, merely reducing the overall burden.

mrmoss commented 7 months ago

@dsvensson Everyone only has so much energy. Vetting someone to take over is not zero work. When it comes to SAML specifically, the potential for things to go wrong is high.

I think you're asking the wrong question: Why should the weight of a set of repos, used primarily by companies, with record profits, rest upon the actions of one person for zero compensation?

Pressure to give free labor at the expense of one's well being is what enabled the JiaT75 situation. Complaining that the repo is not well maintained enough is literally how JiaT75 got commit rights in the first place.

The mental health of opensource contributors is greater than the needs of companies. If they cannot wait for the maintainer to find time, then they either need to compensate said maintainer so they prioritize the efforts OR they need to do the work themselves.

The code is open. Nothing is stopping anyone from forking it.

haavar commented 7 months ago

I completely understand that peoples time and energy is limited, and I certainly understand why the original maintainers would not want to keep working on this. I am not trying to make someone do something they don't want to. I'm simply trying to evaluate if this project is end of life or not, and if it is EOL then I want to see if there is a community to brig it forward.

From this exchange it sounds like we are at the end of the road for this repo. I don't have any way of paying contributors to maintain this project. Even if I did, I don't think I could rely heavily on a project that only gets critical updates.

I have a vested interest in the java-common-core module, and I no problems justifying spending work hours on that. I will start looking into what a fork would look like under the MIT license and my workplace policies, and weighing the red tape of that vs starting a library from scratch.

Are there others that are willing to contribute to either a fork, or this current repo if @pitbulk would be willing to vet us.

I just want to stress that I appreciate the effort that has been put into this project, and I'm not trying coerce anyone into doing something that they don't want.

pitbulk commented 7 months ago

@haavar, I'm always open to collaborations, but as we saw in the recent XZ Utils issue, I am responsible for the final release and what is pushed. Sadly, it is not that easy to grant 2-3 new maintainers permissions and allow them to take care of the project.

The current challenge is that I had no time to review the work done by @markkolich at https://github.com/SAML-Toolkits/java-saml/pull/395 and find a way to adapt it in a way, that current java projects will keep working after an update.

@haavar if you or any can spend time on this task and unblock this part, rest of the work gonna be a matter of fixing some expired payloads used on test, review and merge some pending PRs and do the release.