New Release?

[whiskeysierra]

Now that https://github.com/oauth2-proxy/oauth2-proxy/pull/2013 has been merged, is there a new release planned?

There are some fixed CVEs in master already, but the latest release is from October.

[tolleiv]

Would also be interesting to hear how others could support the project to enable more frequent releases?

[sathieu]

@JoelSpeed Could you make a new release? 🙏

[JoelSpeed]

Would also be interesting to hear how others could support the project to enable more frequent releases?

We need to build out a community of maintainers. Right now, there's a very small group of us who are only supporting this as a passion project in our spare time. I no longer use the project in a professional capacity, nor do other maintainers I'm aware of.

To start helping out, the primary need is someone who can respond to issues and review code. Fix bugs, rather than add features. Refactor the code and add tests, to make the project more maintainable in the long term.

It doesn't feel right to just hand the reins to anyone, in most open source communities I'm a member of, new maintainers have to build up trust over time, I guess that's something we should be looking to do here too. Proven contribution over a period of time showing thought not only for ones personal interests, but also that of the wider project and community, would be the criteria in an ideal world.

[anotherthomas]

Would it help if somebody created the release MR according to the RELEASE.md?

[sathieu]

I found a fork by @lukas-holzner recent images:

https://github.com/lukas-holzner/oauth2-proxy/pkgs/container/oauth2-proxy

[lukas-holzner]

I had a similar problem with the CVEs that's why i forked it and have renovate running to updated the dependencies. Merging changes from the upstream is a pain though :/ I was also planning on opening a PR to submit the updates into the upstream, but i haven't found the time yet.

[sathieu]

@lukas-holzner :

I was also planning on opening a PR to submit the updates into the upstream, but i haven't found the time yet.

That would be great!

[anotherthomas]

@JoelSpeed do you have a plan on how to add more maintainers? How can one help?

[Morl99]

@lukas-holzner :

I was also planning on opening a PR to submit the updates into the upstream, but i haven't found the time yet.

That would be great!

I don't really agree, instead, I would suggest that we configure renovate for this repo and automate the release process.

It might also make sense to decouple releases from building docker image as a means to release nightly updates of the docker image with a new base image, since often vulnerabilities originate from the packages within the docker image. To prove my point, see the current vulnerabilities of the latest docker image, all of them originate from within the base image.

I am able to help with that, if this is the direction the maintainers of this project want to go. I would start out with newer versions of the base image that get build and published automatically (without building/publishing oauth2-proxy itself)

[wollomatic]

As a workaround, the chainguard image could be an option: https://edu.chainguard.dev/chainguard/chainguard-images/reference/oauth2-proxy/overview/

[andrey-podko]

@Morl99 fresh OS packages in docker image is not a issue, because Bitnami(VMware) makes they own builds on latest Debian 11. Updates every day or 2 ! We can just use them and stop worry about official docker build, but Bitnami works only with releases ! https://github.com/bitnami/charts/issues/15730#issuecomment-1484667571 Until nobody set a release tag 7.4.1, this image also can be vulnerable :(

PS I hope they using enough fresh base image for package build, so image shouldn't be vulnerable, but "hope" is not so good thing in security domain :)

[Morl99]

@JoelSpeed would you be interested in my help in reworking the way the docker images are built, so that we get automated docker builds even if there is no release? If not, I will look into other options, but I prefer to spent my time in the upstream project if possible. (This would most likely be company time, as we are planning on using the oauth2-proxy in production. We at DB Systel have a strong commitment on working in Open Source Projects if we use them)

[JoelSpeed]

@tuunit was talking to me about this last week! Perhaps the pair of you can sync up to come up with a solution

[tuunit]

@Morl99 as @JoelSpeed mentioned, I proposed nightly builds last week as well and will raise a PR for release automation and image building in the upcoming days.

[tuunit]

@Morl99 I will add you as a reviewer 😄

[tuunit]

@JoelSpeed can be closed.