Closed lextm closed 2 days ago
lextm
commented
1 year ago My team have published several new releases of lextudio/pysnmp and lextudio/snmpsim in the past two months.
Now this request long passed the six-week reachability phase, so any update on whether to move on to next phase?
yeraydiazdiaz
commented
1 year ago Hi @lextm, I don't feel comfortable simply assigning you as owner of all these projects. As explained by @tiran these are critical security projects so I'm going to defer to a @pypi/warehouse-admins.
lextm
commented
1 year ago @yeraydiazdiaz Thanks for at least responding with the progress.
di
commented
1 year ago inexio (no response)
I think this person (@Lostboi on GitHub) previously filed PEP 541 requests which have been aggregated here: https://github.com/pypi/support/issues/1104
lextm
commented
1 year ago @di I was writing about the company of inexio GmbH, which was once the sponsor of Ilya, and was trying to fork and maintain the documentation site as well as some repos that their products depend on, such as snmpsim.
I wrote to both support@inexio.net and info@inexio.net in Nov 2022, but never got a reply.
It is not clear to me what's the relationship between inexio GmbH and @Lostboi except what you might find under #802, where @Lostboi seemed to request package ownership on behalf of inexio.
Lostboi
commented
1 year ago Hey guys, yes i was trying to get the ownership of the packages on behalf of inexio, since Ilya did not answer us anymore, and the project seems not to be continued. So we decided to try to maintain the whole snmpsim project. Sadly we didnt got the time to maintain the project further, and i am not working for inexio anymore.
I know that support@inexio.net does not answer because they dont know whom they could address the task.
Since Ilya has unfortunately passed away, I would think it best that the co-worker (e.g. https://github.com/tiran) of Ilya maintain the project as far as they can, because of the security relevant topics.
lextm
commented
1 year ago While this request is being further reviewed, I'd like to ask for clarity on how the security risks are being evaluated.
The original comment left by @tiran contains several key points,
pyasn1 related packages might have bigger impact on security side as their consumer base is much larger, the packages listed here for pysnmp have much smaller impact. While "SNMP is typically used in enterprise environments to control and monitor hardware like routers and switches", my question is how many of them are using PySNMP but not other SNMP implementations out there? Personally I have been managing the most popular C# SNMP open source library with more than 1.2 million downloads since 2008, so I do understand how to run an open source project in this field.
juliakreger
commented
1 year ago Greetings!
I'm curious if there is an update or if any consensus has been reached? Ilya was on my team when he went on leave to never return, and I can say with certainty that he wouldn't want to see pysnmp fragment. Pysnmp for Ilya was much more a project out of passion instead of work funded by any specific employer. As someone who is looking for the next logical path with pysnmp because I have partners using it in driver code today, I really hope a forward path can be reached. One aspect which comes to mind is passion. To me, it seems like @lextm is approaching this with passion, which reminds me so very much of Ilya. 😢
neirbowj
commented
12 months ago As a casual, interested observer, this request appears to be stalled, to our collective detriment. In the interests of the PySNMP project and its constituent components, the projects that depend on them, and the broader PyPI community, I would seek greater clarity on the status of this request relative to the PEP 541 process.
Starting from the top, the section on Reachability stipulates that "the maintainers" (meaning those who operate PyPI) "will try to [contact the user] at least three times" (where "the user" is evidently one who is able to publish material to a PyPI project, and "contact" is by email according to one of three defined addresses). I have to identify evidence linked from this request to show that the maintainers have carried out this step. If this step has been completed, could a maintainer please post evidence here? If not, what is preventing progress?
I welcome enlightenment on points I have failed to sufficiently grasp.
geofft
commented
6 months ago Hi - I'd like to re-raise this request. I think passing ownership to @lextm makes sense, for a few reasons. There appear to be two active forks of PySNMP; besides https://github.com/lextudio/pysnmp (currently pip install pysnmp-lextudio), the other is https://github.com/pysnmp/pysnmp (pip install pysnmplib). But that one has pointed people at Lex's fork for feature requests (e.g., pysnmp/pysnmp#40), and they have not raised a request to take over the PyPI name pysnmp.
Furthermore, the pysnmp GitHub organization also has its own fork of pyasn1, published as pip install pysnmp-pyasn1. This was necessary because Ilya Etingof was also the maintainer of pyasn1, and in fact Lex also had forked it (as pip install pyasn1-lextudio). But ownership of pyasn1 was transferred in #2090 and maintenance has been continued, and Lex's project now depends on the standard one (lextudio/pysnmp@924a022cb7c4d23cd9dbb88cd78696725d3fae39), whereas pysnmplib continues to depend on their fork.
If I understand correctly, you cannot have both pysnmplib and the standard pyasn1 in your transitive requirements, because both pysnmp-pyasn1 and the standard pyasn1 use the same importable name import pyasn1. So, the other fork is essentially not usable in the broader ecosystem. This was reported as pysnmp/pysnmp#51 but there has not been any response.
But you can have pysnmp-lextudio and pyasn1 coinstalled. So, I think transferring the ownership to @lextm is consistent with the PyPI project's previous decision in #2090 and is the best thing for the ecosystem.
I also agree with the point above that @tiran's statement about security sensitivity is more about pyasn1 than pysnmp - yes, pysnmp is used in security-sensitive contexts, but pyasn1 is very widely used and the risk of passing it to someone untrustworthy is much, much higher.
To the most recent question about contact: the user cannot be contacted due to his death, and so this step is moot.
But I don't know what the next step is, then. Can a PyPI maintainer comment on what needs to be done, please?
(@tiran, since you specifically requested a hold on transferring Ilya's projects in #1104, would you mind sharing thoughts on what should happen with pysnmp and more generally the non-pyasn1 projects?)
lextm
commented
5 months ago While this request remains pending, projects have migrated to the *-lextudio forks in the past few months. Below is not intended to be a complete list but the momentum is clear. |
Name | |
|---|---|---|
| OpenStack | ||
| Checkmk | ||
| Home Assistant |  |
|
| Genie libs |  |
|
| brother |  |
|
| Proliantutils |  |
|
| labgrid |  |
|
| snimpy |  |
ambv
commented
2 months ago We could not reach Ilya, and we consider his projects abandoned per PEP 541. We recommend that the PyPI Administrators assign @lextm as the new owner of the following projects, and we confirm that the community is already using Lex's forks in considerable numbers:
https://github.com/etingof/pysnmp-mibs https://github.com/etingof/pysnmp-apps https://github.com/etingof/pysnmpcrypto https://github.com/etingof/snmpfwd https://github.com/etingof/snmpreceiver https://github.com/etingof/snmpdiscoverer https://github.com/etingof/snmpresponder https://github.com/etingof/pysmi https://github.com/etingof/snmpsim https://github.com/etingof/snmpsim-data https://github.com/etingof/snmpsim-control-plane https://github.com/etingof/snmpclitools https://github.com/etingof/pysnmp
Please note that Ilya used two accounts on PyPI. The main one's https://pypi.org/user/etingof/ and the other is https://pypi.org/user/ilya/. We determined this is the same person, as corroborated by the fact multiple projects list both accounts as an owner, and the remaining projects use the ilya account but also list the etingof@gmail.com address in the package metadata.
Disclaimer: We are providing support to the PyPI Administrators to validate this request and make a recommendation on the outcome and actions to be taken. Final determination will be made by the PyPI Administrators when our process is complete.
ewdurbin
commented
2 days ago None of the listed projects exist.
Project to be claimed
See below
Your PyPI username
lextm: https://pypi.org/user/lextmReasons for the request
Grouping of 13 PEP 541 requests for projects:
pysnmp-mibs pysnmp-apps pysnmpcrypto snmpfwd snmpreceiver snmpdiscoverer snmpresponder pysmi snmpsim snmpsim-data snmpsim-control-plane snmpclitools pysnmp
All of them owned by the same user Ilya Etingof (@entingof). But sadly he passed away a few months ago, as announced here.
The packages are dependencies for many open source software or tools used by many of my clients and a broader community. I'd like to take ownership of the packages and keep them up-to-date.
I have contacted owners of several forks, but either no reply or they are not interested in taking over the ecosystem. I also contacted Yeray who has previously requested project ownership in ticket https://github.com/pypa/pypi-support/issues/1104.
Please add me as admin to the projects on PyPI and Test PyPI.
pysnmp-mibs: https://pypi.org/project/pysnmp-mibspysnmp-apps: https://pypi.org/project/pysnmp-appspysnmpcrypto: https://pypi.org/project/pysnmpcryptosnmpfwd: https://pypi.org/project/snmpfwdsnmpreceiver: https://pypi.org/project/snmpreceiversnmpdiscoverer: https://pypi.org/project/snmpdiscoverersnmpresponder: https://pypi.org/project/snmpresponderpysmi: https://pypi.org/project/pysmisnmpsim: https://pypi.org/project/snmpsimsnmpsim-data: https://pypi.org/project/snmpsim-datasnmpsim-control-plane: https://pypi.org/project/snmpsim-control-planesnmpclitools: https://pypi.org/project/snmpclitoolspysnmp: https://pypi.org/project/pysnmpMaintenance or replacement?
Replacement
Source code repositories URLs
Ilya's repos
https://github.com/etingof/pysnmp-mibs https://github.com/etingof/pysnmp-apps https://github.com/etingof/pysnmpcrypto https://github.com/etingof/snmpfwd https://github.com/etingof/snmpreceiver https://github.com/etingof/snmpdiscoverer https://github.com/etingof/snmpresponder https://github.com/etingof/pysmi https://github.com/etingof/snmpsim https://github.com/etingof/snmpsim-data https://github.com/etingof/snmpsim-control-plane https://github.com/etingof/snmpclitools https://github.com/etingof/pysnmp
new repos owned by me
https://github.com/lextudio/pysnmp-mibs https://github.com/lextudio/pysnmp-apps https://github.com/lextudio/pysnmpcrypto https://github.com/lextudio/snmpfwd https://github.com/lextudio/snmpreceiver https://github.com/lextudio/snmpdiscoverer https://github.com/lextudio/snmpresponder https://github.com/lextudio/pysmi https://github.com/lextudio/snmpsim https://github.com/lextudio/snmpsim-data https://github.com/lextudio/snmpsim-control-plane https://github.com/lextudio/snmpclitools https://github.com/lextudio/pysnmp
Contact and additional research
The previous owner Ilya Etingof (@entingof) passed away a few months ago, as announced here.
I already outlined the complete plan to take over the ownership of the entire ecosystem, as documented
https://github.com/etingof/pysnmp/issues/429
and contacted parties that might be interested in owning the pieces,
Code of Conduct