jasig/phpcas package should be abandoned in favor of apereo/phpcas

[jboulen]

When a project uses the jasig/phpcas package instead of the apereo/phpcas package, dependabot on github is unable to report the security alerts. So maybe the jasig/phpcas package should have "abandoned" status to motivate developers to migrate to the apereo/phpcas package?

There is also a lack of information on packagist.org. Only apereo/phpcas package announces security alerts : https://packagist.org/packages/apereo/phpcas https://packagist.org/packages/jasig/phpcas

[jfritschi]

Thanks for the info. Makes sense but currently the package is owned by someone else....

[jboulen]

Do you mean that the jfristschi account referenced as maintainer on jasig/phpcas package is not yours ? I can try to contact someone at packgist.org if you agree.

[jfritschi]

The account jfritschi is mine. But the apereo/phpcas package that you propose as future package is owned by someone else...

[jboulen]

Oh, I thought that apereo/phpcas package was owned by someone from apereo...

[phy25]

I see the user with the same profile picture is on GitHub as @wuwx. We might need to do a more official outreach but looks like at least one of the maintainers here needs to have admin access of that packagist package to proceed.

[Zeuh]

Since https://github.com/apereo/phpCAS/commit/c98aa746c468104ec6a8b3ca9a6ed32fdda635fd there is a some security risk for projects using phpCAS via composer :

• when using "jasig/phpcas" : projects have no security warning from dependabot.
• when using "apereo/phpcas" : in case of the owner's account take over ( https://blog.packagist.com/packagist-org-maintainer-account-takeover/ ) or owner bad mood actions. This is limited since https://github.com/composer/packagist/pull/1374?ref=blog.packagist.com .

Private Packagist

Packagist.org maintainer account takeover

What happened? On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and

GitHub

Refactor package permissions into a voter, restrict URL edits from 50k dls by Seldaek · Pull Request #1374 · composer/packagist

Package Repository Website - try https://packagist.com if you need your own - - Refactor package permissions into a voter, restrict URL edits from 50k dls by Seldaek · Pull Request #1374 · composer/packagist

[jfritschi]

I have sent a message to packagist and hope they can simply transfer ownership of the package to me....

[jfritschi]

I have gained ownership and have now marked jasig/phpcas as abandoned and pointed to apereo/phpcas.

[jboulen]

Great! Thank you @jfritschi!

I confirm that it works as expected:

$ composer update jasig/phpcas
Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
**Package jasig/phpcas is abandoned, you should avoid using it. Use apereo/phpcas instead.**
Generating autoload files

So I can close my issue. :)