Deprecating the project

[RangelReale]

Hello,

As everyone can see, this project is not updated for a long time. Because of a lack of time, I am not finding time to review all issues/pull requests, and it is very important to review all carefully because bugs on this kind of library can have serious consequences.

Also OAuth best practices and extensions appear all the time, so this kind of library requires constant attention, which I cannot commit at this time.

So I am thinking of deprecating this project, mark it as readonly, and recommend other libraries on the README to warn people still coming here.

Looks like the better maintaned library is "ory/fosite", which as I remember started as a fork of OSIN (I think). Can someone recommend other libraries that I can link to?

[MarAvFe]

Amazingly, I was just today studying this project to implement it. But thanks for the heads up! I'll check yours and other's recommendations.

[yookoala]

Thanks for the work @RangelReale. Sorry that the project is deprecated, but it had its time.

[enj]

@RangelReale would you consider transferring ownership of it @openshift? We (Red Hat) use it extensively in openshift/origin. While we are unlikely to implement any features, we will handle security issues since they would impact our OAuth server.

[RangelReale]

@enj definitely, I think this would be the best solution for this. How can we do this?

[enj]

@RangelReale I have reached out to the people who have done similar transfers before. I will update you once I know more.

[enj]

@RangelReale here is my proposed plan, let me know if you agree (also what about RangelReale/osincli?):

1. Transfer ownership of this repo to @dobbymoodge
2. @dobbymoodge has the ability to transfer repos to @openshift, and will do so once you give him ownership
3. Once this repo becomes openshift/osin, @RangelReale will fork it to RangelReale/osin
4. @RangelReale will disable issues and PRs on the "new" RangelReale/osin and update the GitHub description to point to openshift/osin

The above should make it so that anyone using RangelReale/osin will not break, they will simply be frozen in time.

All issues and PRs will be left intact and will live at openshift/osin

[RangelReale]

Fine with me, let's do this on monday, if someone has any objection, please say here before that.

[enj]

@RangelReale good to go?

[RangelReale]

Sorry for the delay, I was in a place with bad internet, now it is ok. I will do the transfer now, of both osin and osincli.

[RangelReale]

Done, please contact dobbymoodge to accept the transfer.

[dobbymoodge]

@RangelReale The repository transfers expired. Can you please re-transfer the repo?

I had a busy weekend :(

[RangelReale]

Done.

[enj]

@RangelReale I believe the transfers are complete - I think now you just need to fork them back and freeze.

[RangelReale]

Done. Can I make a notice in my README before freezing?

[enj]

@RangelReale just changing the description would be safer. Otherwise you will have a commit in your fork that does not exist in the openshift/osin code.

[stephenafamo]

Going forward, who do we tag to review issues and merge pull requests?

Because I'm about to use this package on a project, and I'll like to know who would be looking at stuff. I'm happy to contribute, of course, just want to know that someone would be interested in reviewing.

Also, is there any plans to review all the open pull requests and issues?

[enj]

Going forward, who do we tag to review issues and merge pull requests?

The relevant people already watch the repo.

Because I'm about to use this package on a project

Please don't. There are far better and more robust options out there such as ory/fosite, dex, etc.

I'm happy to contribute, of course, just want to know that someone would be interested in reviewing.

That effort is better spent on a more active project.

Also, is there any plans to review all the open pull requests and issues?

Unless it is a security issue, I will likely close them.

---

As I noted above, we are not likely to implement any features. The repo is effectively in maintenance mode. The core of this repo is on the order of 650 LOC and likely does not suffice for most use cases. Also, please use OIDC as that adds a lot of the missing pieces to OAuth 2. I cannot think of any good reason for someone starting a new project to use this repo.

[stephenafamo]

Okay. Thank you.

[RangelReale]

Well, the process is done, so I am closing the issue.

[enj]

@RangelReale thanks for your work over the years :+1: :smiley: