Latest release (v2.21.0, OTP 23/24 compat) not available on hex.pm?

[thbar]

Hello! I am looking to upgrade mochiweb to the latest version to remove OTP 24 warnings.

The latest release is apparently https://github.com/mochi/mochiweb/releases/tag/v2.21.0.

Hex.pm (https://hex.pm/packages/mochiweb) stops at v2.20.1.

It is easy to mix up those two version numbers, which makes it a tad more confusing :smile:

Just a heads-up, I can use the master or GitHub release, but I thought it would be worth notifying you and other users.

[etrepum]

I’m unable to do anything about that, but maybe @benoitc can fix it? He was unable to add me as an owner last year and the hex.pm team did not want to give me access to my own project 🤷🏻‍♂️

[thbar]

Thanks for the quick reply! I saw a Slack message on the Hex channel mentioning mix hex.owner transfer. Maybe this is what we need here?

[thbar]

Discussing that with @ericmj at the moment via Slack.

[benoitc]

why not discussing it there? if there is a simple way to do it let me know. On Mon 5 Jul 2021 at 16:31, Thibaut Barrère @.***> wrote:

Discussing that with @ericmj https://github.com/ericmj at the moment via Slack.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/mochi/mochiweb/issues/233#issuecomment-874157881, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAADRITWWODW642PN53RMBTTWG627ANCNFSM472EW2TQ .

-- Sent from my Mobile

[thbar]

@benoitc this is what I have suggested :smile:

[thbar]

Happy to help transmit the message, although this is a tad bit inefficient indeed. Here is the reply from @ericmj:

So my understanding is that the correct way for things to move forward is for @etrepum, current maintainer, to request @benoitc to transfer ownership.

[ericmj]

See https://hexdocs.pm/hex/Mix.Tasks.Hex.Owner.html#module-transfer-ownership for information on how to transfer the package to a new owner.

[thbar]

Worst case, @benoitc and @etrepum could share ownership, if a single owner is a problem? (https://hexdocs.pm/hex/Mix.Tasks.Hex.Owner.html#module-add-owner).

[etrepum]

I don't really know what the problem is, only that @benoitc tried to add me before but came across some sort of error. I also tried the dispute mechanism a year ago but they didn't want to do anything about it unless I waited for 30 days. I just emailed them again so maybe they can fix it if @benoitc can't. I don't mind having a second owner, redundancy is great, but if there is only one owner it should probably be me.

[ericmj]

@benoitc Let me know if you need any help with transferring the package.

[benoitc]

Thanks! I will look into it this evening and let you know.

On Tue, Jul 6, 2021 at 11:55 AM Eric Meadows-Jönsson < @.***> wrote:

@benoitc https://github.com/benoitc Let me know if you need any help with transferring the package.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mochi/mochiweb/issues/233#issuecomment-874624789, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAADRISUTGFBNUATNLZEX7DTWLHHNANCNFSM472EW2TQ .

[etrepum]

It looks like the ownership situation is unchanged, and the Hex support team has not responded to me. I've set a reminder to email them again in a month 🤷‍♂️

[benoitc]

i will try to hznfle that tonight. i have been side tracked yesterday

On Thu 8 Jul 2021 at 17:48, Bob Ippolito @.***> wrote:

It looks like the ownership situation is unchanged, and the Hex support team has not responded to me. I've set a reminder to email them again in a month 🤷‍♂️

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/mochi/mochiweb/issues/233#issuecomment-876549756, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAADRIQWZVHWGFXGPOJLZNDTWXCFFANCNFSM472EW2TQ .

-- Sent from my Mobile

[ericmj]

It looks like the ownership situation is unchanged, and the Hex support team has not responded to me. I've set a reminder to email them again in a month 🤷‍♂️

It is our policy to not intervene unless with permission of the owner or if the owner is unresponsive. Since we don't have permission and @benoitc is active in this thread we cannot do anything.

[etrepum]

@benoitc do you give permission to allow the Hex team to assign me as the owner?

[benoitc]

of course.. i will formalize later today if needed

On Thu 8 Jul 2021 at 19:35, Bob Ippolito @.***> wrote:

@benoitc https://github.com/benoitc do you give permission to allow the Hex team to assign me as the owner?

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/mochi/mochiweb/issues/233#issuecomment-876620358, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAADRIQFAPD255RJ4BL2JW3TWXOXDANCNFSM472EW2TQ .

-- Sent from my Mobile

[etrepum]

@ericmj does this explicit permission mean you can fix it?

[ericmj]

I will make an exception in this case but please in the future follow the policy for taking over packages or resolve it amongst yourself. It doesn't scale if the Hex team needs to make manual changes when it can be resolved by users, specially after giving support and pointing to documentation both on Slack and on GitHub.

[etrepum]

This is the only package I own that someone else claimed on Hex, so it won’t be an issue going forward.

[etrepum]

Thank you all for the help sorting this out, the latest tag should be available on hex.pm now and I plan to automate it with a github workflow in the future.

[thbar]

Thanks to everyone involved!

Having access to packages via Hex and ensuring projects do not only live on GitHub is important to give a strong "this is maintained" signal, which encourage people to use Elixir.

Have a great day everyone!

[thbar]

Re @ericmj

It doesn't scale if the Hex team needs to make manual changes when it can be resolved by users, specially after giving support and pointing to documentation both on Slack and on GitHub.

Definitely agreed ; it would though be great to understand what made that ineffective in the past here. I will soon go through that experience myself (for a different package), I will make sure to provide feedback if something appears "hard". Thanks!

[benoitc]

It looks like the ownership situation is unchanged, and the Hex support team has not responded to me. I've set a reminder > I will make an exception in this case but please in the future follow the policy for taking over packages or resolve it amongst yourself. It doesn't scale if the Hex team needs to make manual changes when it can be resolved by users, specially after giving support and pointing to documentation both on Slack and on GitHub.

Well the link was pointing to mix documentation. It shouldn't be expected that everyone is using Mix, especially an Erlang developer :) I was planning to look at the rebar documentation to see how doing it. Maybe having it documented on hex.pm website would ease the process? Also I do think that an author should be able to claim its ownership whatever have been done in the past. Copyright should be the main driver there.

Anyway, timezones and my busy calendar conflicted more than anything there :) Happy to see it resolved.

[ericmj]

I didn't know you didn't have access to mix, if so I would have pointed you to the rebar3 docs that we also link to from the website: https://rebar3.org/docs/package_management/hex_package_management/#owner.

Copyright should not be the determining factor on who owns a package. Should the copyright owner be able to take over your github repo because you uploaded or forked their copyrighted code? How would it work with forks that you made slight modifications to or just packaged the code differently? What if multiple people owns the copyright? What if the code is licensed so that anyone can upload the code wherever they want (such as mochiweb's MIT license)?

Verifying that a specific hex.pm user owns the copyright is not straightforward and would require additional work by hex admins in addition to manually transferring the ownership.

A copyright owner can request that their intellectual property is removed, unless the license says otherwise, for example by issuing a DMCA takedown request. But a copyright owner cannot take control over a package just like they cannot take control of someone else's github repo.

[etrepum]

The issue here is not so much copyright but the namespace. Allowing forks to take over well known package names could be done maliciously.

In this case the problem was not malice but simply extreme latency. I was fine having Benoit as the owner of the hex package over the years because it got updated occasionally, but then that stopped happening, which is problematic when new versions of Erlang are released that include breaking changes for this very old code base.

It would’ve been resolved over a year ago if he was less responsive, but he was just responsive enough to delay the problem but not fix it. I am not sure why he had trouble adding me on hex.pm, but this seems like something that should be possible on the website to make it easier for people to hand off maintenance if they are not currently active in the ecosystem.

[ericmj]

You don't have the inherit right to an existing package because you maintain a library with the same name. Admins making judgement calls about who is the rightful owner of a package will only lead to conflicts. In this instance no one acted maliciously, but in the case of malicious actors we have tools to find them and admins will of course intervene if they are discovered but we cannot preemptively intervene because they may act maliciously in the future.

We ask the community to resolve these issues amongst themselves and in all cases in the past it has been resolved by the the community in the cases where everyone involved were responsive and in the case where they were not responsive admins have intervened.

I am not sure why he had trouble adding me on hex.pm, but this seems like something that should be possible on the website to make it easier for people to hand off maintenance if they are not currently active in the ecosystem.

We have avoided adding features to the website that exist on the CLIs to avoid duplicate work but I agree that this should be added to the website.