Project Future

[aseigler]

With the webauthn.io demo site no longer being backed by this library, it may be time to move the project to another organization (perhaps https://github.com/go-webauthn) and establish a new demo site. Thoughts?

[MasterKale]

I personally see the value in relocating the project especially since Duo doesn't officially use it for anything anymore.

I see that https://github.com/go-webauthn/webauthn says its a fork of this library; is there something in the golang ecosystem that'd require a "hand-off" of this repo? Or could you simply fork and migrate things over to that, while this repo gets marked Archived with a pointer over to the maintained fork?

Just throwing ideas out there. I'd be curious to hear what @nicksteele thinks about a potential migration.

[james-d-elliott]

I originally made the fork prior to you coming on board noticing a significant backlog and significant issues which were I could not justify publishing to production in another project, while attempting to continue making PR's for the important things here.

Generally in the go ecosystem the way you describe is fine. Go actually has a cool syntax in go.mod for performing a replacement which should allow users to just do a replacement I believe (though I can check) until such a time as there is a breaking change. Regardless we'd aim to maintain a migration guide.

As far as deciding what to do, if it's a consideration a standing invitation would be extended to be added as a maintainer to people like Nick and yourself, regardless of any interim decision.

[nicksteele]

I would say that makes sense. Moving outside of the duo-labs org (which I'm no longer a part of 😢 ) would make contribution easier for me. We should be able to move over to this project fairly seamlessly.

[MasterKale]

Hey, I realized it's been almost three weeks. Authenticate kept me busy and I'm finally in a position to ask around internally about migrating this project to another organization. Let me chase this down and get back to you.

[MasterKale]

@james-d-elliott help me understand why transferring is more desirable than, say, syncing your fork with the latest changes, us archiving this copy, and then pointing people your way at the top of the README. This is all open-source after all?

And if we did transfer, how would that impact projects pointed at this repo? Would GitHub set up redirects? Would it break those projects on next build?

[james-d-elliott]

I am sorry, that's how I interpreted the discussion honestly. That fork is technically already up to date (I will obviously double check), I agree with that approach being the most logical. I think preserving history like that is ideal.

I don't know if there is any special method for deprecating a library to make the transition semi-automatic. I don't believe there is but I don't know for certain, I'll see what I can find out, but I now understand the context under which you were asking more clearly now! Apologies again.

[MasterKale]

I am sorry, that's how I interpreted the discussion honestly. That fork is technically already up to date (I will obviously double check), I agree with that approach being the most logical. I think preserving history like that is ideal.

Okay cool, this seems way easier for me to pull off than to escalate internally. Then over time the read-only Duo-Labs copy would communicate in H1 text at the top of the README that users of this library should update to the maintained fork over at https://github.com/go-webauthn/webauthn, at which point you become the authoritative Golang WebAuthn library 🔥

[james-d-elliott]

Yeah I agree. You could theoretically move ahead with adjusting documentation if you wanted, then while we investigate if there is some special method we can put the breaks on archiving it.

I have a feeling the best way to communicate it will be to deprecate the main functions themselves (with instructions) but I'd rather be sure there is no more practical method first.

[oschwald]

You can mark the module as deprecated in the go.mod file. This will make go get print a deprecation warning.

[james-d-elliott]

Thanks @oschwald I'll make a PR with this soon.

[james-d-elliott]

Just letting you know @MasterKale that the PR is up. There's no rush on my end, I understand you may need to get some feedback from someone else or may have reservations.. and you're probably pretty busy!

[rbroggi]

Hello all, I see that the library is still the Go reference in webauthn site. @aseigler, what is the lib actually backing the demo site? Is it still a Go library? Thank you

[aseigler]

Hello all, I see that the library is still the Go reference in webauthn site. @aseigler, what is the lib actually backing the demo site? Is it still a Go library? Thank you

The site is no longer backed by the Go library, it is backed by a python library from my understanding. The site is open source, you can check it out here https://github.com/duo-labs/webauthn.io.

[MasterKale]

https://webauthn.io indeed now uses Duo Labs' py_webauthn instead, here: https://github.com/duo-labs/py_webauthn

[rbroggi-nydig]

Might be interesting to also change the main reference in the site to point to the new go lib instead of to this one here, right?

[MasterKale]

Yeah, I've no problem with that once we agree internally on the path forward for retiring the Golang library and pointing everyone to the community fork.

[MasterKale]

Alright, it's official - this project is now deprecated. Good luck over in https://github.com/go-webauthn/webauthn ✌️