The future of Goss

[mbainter]

In a number of places, the future of Goss has been brought up, but with no real clear direction being established:

• 713

• 699

• 577

• 411

This project clearly appeals to a broad group of people. It has nearly a hundred contributors, 4500 stars, etc. There are still issues being actively opened and some of them bumped continually when the stale-bot tries to close them - despite there not being any commits in over a year, and no response from the owner since early this year. Clearly, this project has addressed a need that is ongoing.

Looking through the forks, nobody is maintaining a public fork either. I suspect all of us are biding our time, hoping whatever has prevented @aelsabbahy from contributing will be resolved. I have no idea what that might be - but given the way the last two years have been it's not hard to imagine a really long list of possibilities. Even just pure exhaustion would be understandable.

I also know you work at Apple - and so perhaps there are legal reasons you don't feel safe contributing...

Even so, I am concerned about the possibility that the fledgling community that has started here will die on the vine. While I'm happy to try to contribute where I can, I cannot shoulder the responsibility of maintaining an official fork. I'm guessing that is true of many people here. That ends up meaning we're probably all taking on some level of duplication of effort for as long as we're maintaining private "fixes" to keep us going -- until eventually, people decide they can't carry the risk and move to a different tool.

So Ahmed -- if you see this - I'm curious if you wouldn't consider finding some way to expand your contributors. Perhaps even set up a separate dedicated account for goss and invite active and/or interested contributors to it with commit and release access -- so you retain administrative control but can allow people who do have time to keep things moving forward in your absence. Perhaps this might even give you the requisite distance to keep the project safe from ... lawyers...

Would this be an option you'd consider?

[drts01]

As a user of goss I like the idea of moving to a goss-org in GitHub. Though, I think the challenge of finding available co-maintainers still stands. :(

[ekelali]

Hello Goss contributors/users. Thank you for your patience during the past 10-11 months.

Let's give Ahmed a few more months (until ~ Feb 22); if he doesn't break his silence we can coordinate on a transition plan, as I have access to the repo and should be able to assist to that end.

In the meantime if you maintain a fork of Goss with a specific feature/bug fix that's being used in production, can you post a link to the PR, this way I can disable stale bot for them.

Any current major bugs impacting you in a major way? If so, please add a link in this issue, and I'll mark them as important.

[wilrodriguez]

Thank you for posting this! I have some features I've been working on myself that I haven't yet pushed into github that have been stalled due to Ahmed's absence. I really love the goss platform and I hope it doesn't die on the vine. Our organization is trying to build a testing framework right now for our IaC platforms and goss is perhaps the absolute most compelling free framework for automated system testing. It still isn't extensible enough, which is something that could be fixed by additions like #578 and possibly additional resources that would allow us to test more granular types of configurations. Right now we're looking at inspec, but I really don't want to waste the money when goss gives us things inspec can only dream of, like, performance. I would love if our testing framework could also be lightweight enough to also be our healthcheck framework. With how lightweight goss is, I want to use it all over the place, not just in CI/CD. So, I for one would volunteer to work on this project, I'm a Go newbie who has never made an open source contribution, but I'd happily toss time in as I can.

[ekelali]

Hello @wilrodriguez,

Does the work in this PR, especially the gjson part help the plugin usecase? If so, I could reopen that PR and mark it as approved so it doesn't get stale.

https://github.com/aelsabbahy/goss/pull/646

Is this something you're available to try out and see the state it's in?

• I assume it's still in alpha quality, but looks like it's working given the example files. • Any feedback on bugs/missing functionality from that PR would be great as I know the v4 work was where Ahmed was focusing his efforts before going silent.

PS: @berney I see you also expressed interest in this.

[justnems]

FWIW, we've tried to contact him on multiple channels, to no avail. Given the age of this project, I think it's probably safe to call it abandoned... My team here at MPG is interested in potentially adopting it and maintaining the project going forward.

[wilrodriguez]

@ekelali I'm a bit busy this week, but once my holidays start next week, I can get on that. I'm still really new to Go, but I think I can get something Go -ing.

[ekelali]

Hello @justnems ,

Thank you for your interest in contributing to Goss. If there are any issues or PRs from your team I can mark them as important to prevent stale bot from closing it out.

The project isn't abandoned and will always welcome contributors. However, there's no desire currently to move the project under the ownership of a company.

[ripienaar]

@ekelali sorry, I have to disagree, there is currently no active maintainership. How are contributions welcomed exactly?

I think the right thing to do here is to create a goss organisation and assign additional owners, else a fork is inevitable. You might not want a company to own it, but you can't exactly prevent a fork - other than present a viable alternative.

[mbainter]

Earlier in the thread, @ekelali did indicate he was open to moving it to an organization but wanted to give the original creator a bit more time to indicate if they have an interest in participating in that. I think he was only saying he wasn't willing to directly give over control full to a specific company (where perhaps we'd eventually find ourselves in the same boat once again).

[ripienaar]

@mbainter yes, I appreciate that part of the discussion so far. I am merely taking issue with characterising the current situation as being in a "always welcoming" state.

The stale bot is a really bad idea given the current state of things, it's literally the only maintenance on this project and it's constantly telling everyone with any interest in reporting issues and potentially contributing to go away.

[ekelali]

Hello @ripienaar ,

Good call out on stale bot. I was hoping to address it by selectively marking any issues mentioned here as exceptions..

My rational is those who are invested enough in Goss to comment here are those who are most willing to contribute to change. It also helps with the signal to noise for the next few months until a direction is established.

I've pinned this issue for now to raise awareness on current project status. Please let me know if there are any issues and/or PRs that need to be re-opened and exempted from stale bot.

So far the only feedback I received was this issue/pr: • https://github.com/aelsabbahy/goss/issues/578 (already exempt from stale bot) • https://github.com/aelsabbahy/goss/pull/646 (waiting confirmation from @wilrodriguez )

[uk-bolly]

Hi @ekelali

Thank you for starting the movement in this product again. It is clear there is still a desire for this product and the community is still keen to move this forward. We actively use the product daily see #692 both internally and externally. We have initial releases now available and we are keen to get involved further in its development.

Following through this thread and my colleagues (@justnems) offer to adopt the repository. I understand the concerns around the maintainers of the project and potential loss of control. We already have several repositories where we maintain the relationship with the original developers and have methods to discuss any changes in direction or changes that may have an impact on the value of the original base. I can see no reason we couldn’t extend this setup or work with you to get a solution that works in place. Helping to continue development and extend the functions of this product.

We would be happy to discuss further to address any concerns that you may have and see if we could make this work?

regards

[bbros-dev]

My rational is those who are invested enough in Goss to comment here are those who are most willing to contribute to change.

Huh? constantly brushing back the stale-bot isn't enough - instead I have to comment on some unrelated issue that is a duplicate of 5+ others?

Please disable the bot until the project is in an active state.

[berney]

@ekelali how many maintainers are there to this repo besides aelsabbahy? You said you have access and I saw you pinned this issue.

There's PRs from dependabot that are waiting on aelsabbahy to review, and the builds/tests stages won't run until the review is completed. Maybe other maintainers can be flagged or peer review can be moved to after build/tests are run. If building and testing passes then its probably pretty safe to merge the PR and keep dependencies up to date.

I'm a fan of goss, and I plan to keep using it. I lot of people like it and have submitted PRs etc. I understand some of it is more complicated and requires thought about architectural changes, but some of it is simpler, like updating dependencies and small bug fixes or small enhancements (that don't touch architecture).

[aelsabbahy]

Hello all, thank you for your patience. I am working on a permanent solution for my continued technical contribution to the project.

In the meantime, I would like to unblock @ekelali and others to at least enable day to day activity:

like updating dependencies and small bug fixes or small enhancements (that don't touch architecture).

Travis-CI:

the builds/tests stages won't run until the review is completed.

Apparently, this had to do with travis-ci.com plan changes regarding OSS. Travis builds should now be triggering again, but seems limited to 10k credits, whatever that means. I have reached out to Travis-ci for clarity since the wording seems vague on whether there's continued support for OSS projects or if everything is a paid plan now.

[bryanlatten]

@aelsabbahy if you made the migration to travis-ci.org, from their homepage: "testing your open source projects is always 100% free!"

I recently migrated some projects to Github actions - also a free solution for OSS

[ekelali]

Some updates:

• CI has been fixed (#731) • Stale bot has been disabled (#733)

Next steps are probably upgrading: • Version of go • All dependencies

If anyone wants to take on those two tasks, I'll merge successful PR/CI run and cut a release.

[mbainter]

I have a PR up for you in #738 to do the 1.17 jump. Linux tests passed, just waiting on the other two.

[mbainter]

There is now #739 to cover the easy dependency updates. The rest of them I looked at needed more attention. Several have major version releases and of course, protobuf should be using an entirely different module now. Those will need a more focused pass, probably in separate PRs. We might want to open issues to track those in so if other people start jumping in we don't duplicate effort.

[mbainter]

I'm seeing some activity from you today @aelsabbahy. Can you weigh in on the discussion here? There are a lot of open issues and I'm sure I and others in this thread would be willing to help start to get things flowing if we had more confidence in the direction of the project and in the likelihood that someone with access will be available to review and merge fixes and improvements.

In particular, are you open to moving this to a goss organization and/or adding more maintainers to this project? (I don't mean me, but other more qualified people have offered to help in this thread and in other issues like those linked here.)

[ripienaar]

+1 for an org and a team of maintainers.

[aelsabbahy]

I'm seeing some activity from you today @aelsabbahy. Can you weigh in on the discussion here? There are a lot of open issues and I'm sure I and others in this thread would be willing to help start to get things flowing if we had more confidence in the direction of the project and in the likelihood that someone with access will be available to review and merge fixes and improvements.

Any issue tagged as approved, I'll accept a PR for. Most of the open issues I've already marked as such. Unfortunately, I can't do technical contributions/reviews at this time, so would have to lean on the community for that.

In particular, are you open to moving this to a goss organization and/or adding more maintainers to this project? (I don't mean me, but other more qualified people have offered to help in this thread and in other issues like those linked here.)

Given how everything is playing out, I'm starting to warm up to the idea.

In the meantime:

1. Any issue marked as approved can be worked on by the community.
2. Those who contributed significant code changes in the past can review PRs (e.g. @ripienaar). If anyone here is interested in this, please let me know in this thread.
3. I can merge PRs/cut releases.

For major architectural/technical issues that need discussing prior to bring approved, @ekelali can handle those.

PS: I have to send an email every month or two to travis-ci to get more OSS credits approved. The process is annoying, but they've yet to decline the request. Putting it here so the community is aware of the CI risk.

[krisfremen]

Hey there,

I use goss for a few projects, and I'd like to improve upon a few things in it as well.

I can pitch in as a maintainer if needed.

Moving goss to an org would be a good step forward.

Cheers!

[ripienaar]

It seems to me that if we want this to continue we need to take the initiative and make an org based on a fork ourselves.

The thread is almost a year old so if we can get a new set of volunteers I am thinking we should just go ahead and do that. Waiting for grass to grow here is getting a bit old.

[kierun]

There does not seem to be much activity from @aelsabbahy at all. I would prefer for them to give us the go ahead before moving, but how long do we wait?

[ripienaar]

It's been like 10 months, seems reasonable.

[ripienaar]

@aelsabbahy can you please comment on your willingness to move the project to an org with multiple maintainers?

[aelsabbahy]

Moving the project to an org with me as the gatekeeper would potentially bring us back to where we are today.

I understand there was a period where my radio silence left many of you frustrated - but since my last post I've tried to be proactive in merging PRs that were ready to go.

Current status:

• There are plenty of issues that have been triaged and marked as approved. (See below)

• Since my last post on this thread only four PRs have come in:

• 2 addressed bugs and saw ~5 day turn around
• 1 was maintenance by @ekelali
• 1 needs to be reviewed by the community as it adds a new contract. I'll admit, I missed this PR and apologized to the author for the delay.

• In total There are currently 3 open PRs:

• The PR mentioned in my last bullet awaiting review
• A possibly abandoned previous attempt at the above PR. My last comment is asking the author if it's ready and they responded no.
• An untested PR with merge conflicts (lingering from before my last post)

• The concerning disconnect is none of the PRs submitted were from people on this thread. I am curious on the why of this.

Is there a particular bug or feature that's impacting you today? If so, have you opened an issue to discuss it or submitted a PR that addresses an approved issue on it? Or is the desire to take Goss in a different direction?

If the maintainer discussion is about taking Goss in a different technical direction, perhaps that needs to be a dedicated set issue(s) discussing the details of them?

I would like to make my bias very clear:

If I had to guess, most Goss users are on Linux. They use the tool, file bugs and feature requests. They expect stability and correctness. That user base has been my priority and the Goss triaged issues mostly reflects their asks.

Some stats:

Approved bugs: 9 Approved enhancements: 26

Non-approved bugs: 2 Non-approved enhancements: 5

PS: I'm on holdiday until Tuesday and may not be able to respond until then.

[ripienaar]

Maybe those who want to contribute doesn’t because it seems like a waste of time while the project status is clearly Not Healthy.

I think it’s less about stats of current PRs and more about making constructive changes to show the project is active and maintained.

[mbainter]

For my part, as the person opening this issue, I don't personally have interest in a different technical direction. I am interested in the long term viability of the work you have done. I don't know your specific situation, but running a successful OSS project on your own is difficult, and life happens. I love contributing to OSS projects, but find it an ongoing challenge to make time for it, and to have anything left in the tank for it after my full-time job. All that to say, I don't hold it against you in any sense that you weren't available for periods.

That having been said, I've been burned before, rolling out and depending on a project that had a single owner who then wasn't available, leaving me and countless others maintaining forks with fixes and improvements merged from various contributors in an ad-hoc way until we could spend the overhead to tear it out and replace it. I really don't want to go down that road again. As a result, with this not really feeling like it was being resolved, I just put a pin in rolling this out to see what would come of all this.

I appreciate that you've been more active lately -- but the questions about the state of the project go back to 2018 (see the list I provided in the original post) and that reflects a pattern. A pattern of being human, but still a pattern that is a pretty common issue with successful single-owner projects. And one which, as ripienaar pointed out, makes me hesitant to buy into using and supporting the project. As I noted I'm not a prolific contributor to any project and not looking to be a maintainer so perhaps that's of little to no consequence, but it does go to the point that ripienaar is making.

Moving the project to an org with me as the gatekeeper would potentially bring us back to where we are today.

If it's just a rename of the repository with no changes in organization then yes, you're probably right. The key benefit of moving it to an org is that gives you more flexibility to turn it into a proper community project, with a trusted set of maintainers that share the load of keeping the project going. Ideally you have a clear vision for what the project is and where it's going, and then a trusted community that is aligned on that vision that keeps you from being a bottleneck for the work.

I suspect that as people become aware that's not the case anymore we would see Goss start to build more steam, and more contributors.

[ripienaar]

You can look to the github.com/golang-jwt/ project as an example of this. It was quite stagnant and the single author had no interest in maintaining it. Many months went by without ANY communication from him.

Forks were made by various companies etc and eventually a critical vulnerability was found. But overall activity in that repository was very low.

Community then had to make the org and fork, to get the vulnerability fixed it, without permission (no response after MANY attempts) and now its a active project with active (multiple) maintainers and having received big contributions from community.

Current activity is not a measure for what can be in the future - though doing that org is also not a guarantee that things will change of course.

[drts01]

I agree that solely moving the repo to an org does not address the concerns that mbainter brings up:

• the possibility that the fledgling community that has started here will die on the vine

• finding some way to expand your contributors

IMO, the most significant issue is increasing the bus factor. Though, I am unsure if anyone is available to be a co-maintainer. Glancing at the contributors and commit history, I do not see anyone with a substantial amount of commits. And the fact that "nobody is maintaining a public fork", also enforces my belief that no one is available.

I too am nervous about the potential of another "radio silence". But TBH, I am not sure there is a solution ATM.

I want to express my appreciation for aelsabbahy's work. Maintaining a project is a PITA 🙃 . And thank you for triaging the pull requests and issues.

To aelsabbahy's point,

The concerning disconnect is none of the PRs submitted were from people on this thread. I am curious on the why of this.

(which includes me) I propose this issue is closed. It is not a good look on a community/project when there is an open issue questioning its future. It seems to me there has been no viable solution presented to increase maintainers. I would be very happy to be proven wrong 😄 .

[ghost]

I want to express my appreciation for aelsabbahy's work. Maintaining a project is a PITA . And thank you for triaging the pull requests and issues.

Hear. Hear.

I am happy to be a co-maintainer.

[aelsabbahy]

I'll reach out to a few OSS peers who have decided to move projects to orgs and get their feedback on how it's worked out for them, the project, and their goals. Also, what has worked as criteria for vetting potential contributors and the access levels.

This will allow for a much more focused conversation around the org discussion and next steps.

[bbros-dev]

One of the great things about git is that forking is the default way of contributing - don't sweat it :)

If more than two people set up an org we'd treat it as upstream. Rename it if there is an objection - I don't expect there would be.

If the current maintainer opts out that is fine. It's not like this is inventing block chain - there is tons of prior art in this space.

So bringing this to a head....

• Whoever :+1: this comment gets added as a maintainer
• The goss/goss repo is created as soon as we have 3+ volunteers
• If @aelsabbahy objects now or at any point in the future we commit to renaming, continuing and handover or delete goss/goss as he wishes

[mbainter]

I appreciate the desire to move this forward, but he is actively engaging with us in good faith on the topic. That being the case, we should as well, so I believe this is premature.

[bbros-dev]

... he is actively engaging with us in good faith on the topic.

He always has. As best I can tell that is not the issue. This is a security related app. It is late to the party, still nascent and yet has stalled.... because one or two people aren't enough in this space, where innovation is still required while building on the existing state of the art.

No one can adopt a new security app if it takes them backwards.

A team isn't optional.

[bbros-dev]

I'll reach out to a few OSS peers who have decided to move projects to orgs and get their feedback on how it's worked out for them, the project, and their goals.

A team isn't optional.

[ghost]

I appreciate the desire to move this forward, but he is actively engaging with us in good faith on the topic. That being the case, we should as well, so I believe this is premature.

I am more than happy for @aelsabbahy to lead the new organization and :100: want them involved. This is in no way, shape or form a hostile take over. I view it as maturing: Working alongside @aelsabbahy and enhancing goss should be the goal.

[aelsabbahy]

The plan is to move goss to an org and add co-maintainers. I've reached out directly to some on this thread already to discuss further.

Will update once everything is coordinated.

[aelsabbahy]

Update:

Goss has been moved to goss-org organization, Travis-ci has been updated with OSS status for the new location. I still have to email them whenever credits are low, but so far they never said no.

I've added write access to @ripienaar and one other top-5 goss contributor. Also, @ekelali still has access.

The contributing guide is still the same and can be viewed here

We’ll start with this approach, and adjust as we go.

Unfortunately, my ability to contribute is still very limited.

[berney]

Great to see this update. Can this issue be closed now?

[aelsabbahy]

Hello all, I know this issue is closed but wanted to comment on here since everyone here is probably passionate about Goss and its status.

I've pushed out all my unpublished local changes to this PR (2.5 years' worth of random work): https://github.com/goss-org/goss/pull/814

Cloning that branch and doing a make build (go 1.20) will get you the binaries, I can also compile and upload binaries to the PR if that's preferred.

That PR is the planned v4 goss release, it contains the biggest set of changes since v3 was released.

Due to the size of the PR, I would love to get feedback on it before it's merged/live. There's also a decision to be made on defaults (documented in PR). Future PRs will be "normal" size and shouldn't require this kind of testing.

Once that PR is released, I would like to follow up with the community on a few items:

1. If there are any open/closed issues that are important to you that haven't been addressed by me yet, please bring them to my attention (tag me on the issue).
2. Please feel free to open up any new issues with feature requests/bug reports if you haven't reported them yet. This will allow me to better understand the community's needs.

[aelsabbahy]

Released v0.4.0-rc:

https://github.com/goss-org/goss/releases/tag/v0.4.0-rc.1

I'll let the release candidate bake for a week or two before cutting an official v0.4.0. As always, please submit bug reports and feature requests. Also, feel free to submit PRs toward any approved bug report/feature request.