search

hiqdev / asset-packagist

Asset Packagist
https://asset-packagist.org
BSD 3-Clause "New" or "Revised" License
247 stars 24 forks source link

asset-packagist.org is down #146

Closed scottatdrake closed 2 years ago

scottatdrake commented 2 years ago

The "https://asset-packagist.org/packages.json" file could not be downloaded: failed to open stream: Operation timed out

We've been getting this error for a couple of hours and I'm not finding any info online about the outage. Is this the place to report an issue like that?

RundleRomanowicz commented 2 years ago

Just came here to say the same thing, It looks like the domain has expired. Its showing as parked atm.

xurizaemon commented 2 years ago

The @HiQDev team appear to be based in Kyiv (people). We should factor that into our consideration of them restoring a free service depended on by many worldwide. (I expect I'm not the only person here who never really considered who was hosting or funding asset-packagist.org before today.)

I will probably recommend our teams to move to review assets packaged and determine how to remove the dependency on asset-packagist, first by reviewing whether the component is actually required, then to see if it can be packaged via other means.

The best way I see to support HiQDev and their people is to not depend on them looking after a free service from a war zone.

(I don't have any inside knowledge, just what Wayback Machine and Github shows.)

EDIT: Here's an approach to "packaged via other means" courtesy of Drupal project. This approach might work with some tweaks for non-Drupal projects (type 'drupal-library' won't make sense, try 'vcs' or 'composer' and see if the dist kicks in?).

RundleRomanowicz commented 2 years ago

@xurizaemon I honestly had no clue that was the case Thanks for doing the research I should have done.

danepowell commented 2 years ago

This is not just an inconvenience, it's a serious security issue for anyone consuming asset-packagist.org. Right now it looks like the domain is expired but still parked with the provider. As soon as it's released, anyone could start serving malicious packages from it.

RundleRomanowicz commented 2 years ago

It looks like @hiqdev / @hiqsol may have been active today

minorOffense commented 2 years ago

If @hiqsol or @hiqdev need someone to pay for the domain or help manage it (I.e. just sit on it and leave it be) my company is willing. Even take over the responsibilities while real life problems are in the way.

We also just grabbed a few asset packagist derivative domains to prevent bad actors from taking advantage.

marclaporte commented 2 years ago

https://asset-packagist.org is up now.

duckboy81 commented 2 years ago

https://asset-packagist.org is up now.

Can we be assured the original owners are hosting the website and not someone else?

bumbummen99 commented 2 years ago

https://asset-packagist.org is up now.

Can we be assured the original owners are hosting the website and not someone else?

You could ask danesconames. Normally when a domain is in parking you can NOT register it without the auth code for a certain grace period so i'd guess it is the original owners.

minorOffense commented 2 years ago

It's the same cert that was renewed with letsencrypt on the 12th when the site was last working so odds are that's the same machine.

generalredneck commented 2 years ago

@hiqsol @bladeroot @SilverFire or @tafid. Hope yall are safe. Care to comment on any of :point_up:. I know this is not the most important thing going on in Irpin, Kyiv, Ukraine at the moment, but looking for an official :+1: that all is well as far as this being a safe resource.

SilverFire commented 2 years ago

Hello, guys. First of all, sorry for a long time without any response. We're all safe, thank you ❤️

The best way I see to support HiQDev and their people is to not depend on them looking after a free service from a war zone.

Asset-Packagist is hosted on a server in Amsterdam, in AMSL3 data center, so the data is physically safe. @hiqsol, @bladeroot, @tafid and me have access to the server and we are NOT located in the same city.

We use asset-packagist in our daily development process, so we rely on it as much as the community does. Unfortunately, we've somehow missed the domain expiration notification and were able to renew it with a bit of delay 😣

I, hereby, confirm that both domain and the server are under the control of HiQDev team.

Domain

I've renewed the domain for 4 years and it will be active at least till 2026-04-18.

> whois asset-packagist.org | grep Date                                                                                                                                              

Updated Date: 2022-04-19T05:23:55Z
Creation Date: 2016-04-18T14:53:32Z
Registry Expiry Date: 2026-04-18T14:53:32Z

Server

We actively maintain it, it's up and running and not compromised, to the best of my knowledge. In order to confirm my words, I've published a message on a server and signed it with a PGP key, published on my GitHub page. You can see the message on https://asset-packagist.org/github/issue_136.txt

image

Once again, sorry for all the inconvenience we've brought to you by this outage.

RundleRomanowicz commented 2 years ago

@SilverFire Glad to hear you guys are okay! Thanks for confirming all is okay and for continuing to provide the service :)