cmb69
commented
3 years ago It seems this has been reverted: 0a869854fc71146d15a6e1b17386baa12d05ca78
Closed foremtehan closed 3 years ago
cmb69
commented
3 years ago It seems this has been reverted: 0a869854fc71146d15a6e1b17386baa12d05ca78
matyhtf
commented
3 years ago @foremtehan This code has been removed. The swoole dashboard is no longer provided in the current version.
The swoole dashboard is a swoole running visualization tool, we will be open sourced as an independent project in the future.
matyhtf
commented
3 years ago Demo video: https://www.youtube.com/watch?v=AcQvI_g4Abs
mnapoli
commented
3 years ago @matyhtf Do you have any more details as to why it wasn't removed when reported initially by another Swoole maintainer? Or why that maintainer has been ejected from the project?
Source: https://news-web.php.net/php.pecl.dev/17446
After several times communicating with the 'matyhtf' who also has the Owner permission of the git repository, he still doesn't want to remove the security concern. Doing further my Owner permission has been removed from the organization by matyhtf.
Did you remove the security issue only because it was reported publicly?
Any extra detail can help form a better opinion regarding what to think of Swoole and whether to trust the project in the future.
deminy
commented
3 years ago There are many great debugging, logging, and profiling tools for PHP, like Xdebug, New Relic, Blackfire, Bugsnag, etc. Unfortunately, most of them are not coroutine-friendly by default, which means they won't work directly with Swoole. Some Swoole users find code debugging/profiling is more complicated.
As the community grows, more debugging/profiling tools work with Swoole, like Apache SkyWalking, Zipkin, Prometheus, yasd, and Swoole Tracker (a free/commercial one). Meanwhile, the Swoole team is working on providing a free, open-source admin dashboard. The problem is how to deploy it. Different approaches were considered, like publishing it as a separate PHP extension, integrating it as part of Swoole, or making a cloud-based package. It's a big task, and the team chose to make it a could-based package first before merging the code to Swoole in the future. This introduced the security concern, where a Swoole-based server needs to download the package from a third-party website automatically before using it.
Some conflicts between Han and Bruce arose when preparing release 4.8.0:
Bruce raised the security concern to Han recently. Although Han acknowledged it and confirmed that all concerns would be addressed before the release, Bruce might want the issue addressed differently. The involved code was removed from the release branch early today.
Bruce wanted to add him as a lead of the PECL extension. Han updated/reverted the commits.
In a small private group, Bruce said some offensive words to Han.
Han moved Bruce out from the Swoole project on GitHub, and cleaned up some user permissions.
Most other team members (including me) were unaware of what happened until early this morning when Bruce and Han started disputing it in a work group. Bruce apologized for what he had said early today; however, they probably won't work together like before.
Bruce started a new GitHub project and published a new PECL extension "openswoole".
Han and Bruce have contributed a lot to the Swoole project and the PHP community, and I have massive respect for both of them. However, no one is perfect, and people make mistakes. This is not the first time in the open source world, and won't be the last. I feel disappointed about what happened this morning, but I will stay with it.
matyhtf
commented
3 years ago @mnapoli
After Doubaokun raised concerns about the security risks of downloading dashborad static resource files, I immediately proposed that it would be fixed before the release of the version. We respect everyone's opinions, and we will try our best to resolve all issues in the final version.
I removed the permission of doubaokun for 3 reasons.
package.xml to change himself to leader without communicating with other members and without my consent. I had to reset his commit via push -f
https://github.com/swoole/swoole-src/pull/4433/filesSo I had to temporarily remove all his permissions. If Doubaokun can cooperate with us friendly, I can add new permissions for him at any time.
doubaokun
commented
3 years ago Hi @foremtehan, @cmb69, @mnapoli & all who may see this thread,
Regarding the security issue, the initial warning was on last Saturday, the second warning was on this Tuesday. But the issue is only resolved after the Open Swoole fork. @deminy you are not in the kernel dev group, so you don't know the full picture and making comments without confirmation with me.
Regarding the 'extremely bad words' were just concern about only matyhtf has the account to do the release and silently push through the package with issues.
At this stage, all the member's releases have to use matyhtf's PECL account which is ridiculous for a project contributed by a group of people.
I was trying to stop the security issues to be published on PECL. As a major maintainer for more than 4 years, I have the right and responsibility to add as 'lead' on PECL to manage PECL packages to resolve this issue. The purpose is cleared said in the commit log: Added release permission #4433, I didn't listed myself as dev in PECL for 4 years to receive credits and I don't care neither.
Also the fact is that my commits are in the logs, everyone can see it. I didn't try or think to add myself for such a long time and did't expect these things can happen.
It is scary to see these things happening and to be removed the Owner role of the organization after you have spend tons of resources on a project for 4 years, then randomly and emotionally removed by another Owner. Then trying to define some new rules make the removing looks like 'legitimate'.
So we will start to work on openswoole and make sure all these issues won't happen.
Best, Bruce
nhlm
commented
3 years ago @doubaokun a fork under the explained conditions makes no sense. Maintaining something for 4 years doesn't make you a leader. Expecting to become the leader of a (sub-)project after investing work over years is no good behavior to demonstrate your leadership skills. If you would be ready for a project lead, the entire issue here would have been solved differently and with less drama from your side.
I hereby boycott openswoole.
doubaokun
commented
3 years ago @nhlm only the 'lead' role can manage the PECL packages. Plus I have the Owner role of this whole organization 'previously'.
nhlm
commented
3 years ago @nhlm only the 'lead' role can manage the PECL packages. Plus I have the Owner role of this whole organization 'previously'.
Does not change anything. Your decisions lead to a conflict which you were unable to handle appropriate. I recommend to fix the root cause of the issue without creating another realm where the root cause still persists. Learn from it, find a solution that does not require to fork or alter directions of a project. And this time, no public drama please.
brendt
commented
3 years ago In the internal wechat group, he used extremely bad words to attack me.
Regarding the 'extremely bad words' were just concern about only matyhtf has the account to do the release and silently push through the package with issues.
Maybe you should just share the conversation instead of making vague accusations at each other. From the outside, I wouldn't trust either Swoole or Openswoole at this point.
that-guy-iain
commented
3 years ago Maybe you should just share the conversation instead of making vague accusations at each other. From the outside, I wouldn't trust either Swoole or Openswoole at this point.
Why? There doesn't appear to be dispute about what happened as far as I can tell both parties agree on what happened and just think they were both justified in their actions.
derickr
commented
3 years ago At this stage, all the member's releases have to use matyhtf's PECL account which is ridiculous for a project contributed by a group of people.
Please don't ever share username/password information with multiple people.
If multiple people need to be able to make releases, they all need to have their own PECL account, and be lead in the package.xml file.
Being lead there means nothing more than being to release packages.
pthreat
commented
3 years ago If it's not well understood why people are complaining about the addition of code download on the fly:
Adding hot code download in the background inside some random file of the swoole project it's considered shady at best.
Obviously, the correct approach is to create a separate project which contains said dashboard.
No one ever could possibly believe that a group of people which have a high degree of coding skills would do this "by accident". And I'm inclined to believe this is why Bruce reacted the way he did.
barbosa89
commented
3 years ago Please fix this, the PHP community will be badly affected 😔ðŸ˜
petk
commented
3 years ago Overall, it is good that this has happened now than in the future when even more projects would depend on Swoole. If anything Swoole project will become one step better and more resilient to such issues, I believe.
If we all leave any personal reasons here aside a bit, @doubaokun has pointed one major issue. Swoole project needs to operate more openly and with a bigger development team in mind. This is not a personal project anymore where Git commits with messages Add something and gazillion new features can land in a patch version.
What is needed in Swoole is a semantic versioning a bit and a better communication when something major is introduced in the code. Many projects depend on this extension. And Swoole needs to make sure that those projects will live on with this extension.
Also, all team members need to start respecting each others work here. No matter who started the project and who manages the community announcements on Twitter etc. Discussions and difficulties about changes are normal.
I hope and wish Swoole and OpenSwoole all the best on their way and may both sides resolve the issues as soon as possible.
It is very pleasant to see that @matyhtf is open to collaboration with @doubaokun who contributes on Twitter really a lot. I hope you two can shake hands, say sorry to each other and accept each other as you are one day. Until then, maybe going two separate ways for temporary is not so bad idea. But from community point of view a bit confusing one for sure.
petk
commented
3 years ago @doubaokun has blocked me on Twitter on the https://twitter.com/php_swoole/ account for commenting on two OpenSwoole Tweets and one PHP Swoole pinned tweet.
This is clearly not a way forward to me for the OpenSwoole project.
nhlm
commented
3 years ago @doubaokun just in case you want to block more, @ nihylum is my handle.
Who said that he is not good at solving conflicts appropriate? Oh wait...
amfolgar
commented
3 years ago https://www.swoole.co.uk/docs/ is showing a header telling to its users that the version supported is openswoole. What will happen with the documentation for swoole (not openswoole)? Are there any chances of rejoining swoole and openswoole into one project?
petk
commented
3 years ago https://www.swoole.co.uk/docs/ is showing a header telling to its users that the version supported is openswoole. What will happen with the documentation for swoole (not openswoole)? Are there any chances of rejoining swoole and openswoole into one project?
I would simply suggest to make a new English forkable documentation on Swoole GitHub account, a new Twitter official account where announcements are shared. Twitter can be used by multiple people flawlessly via https://tweetdeck.twitter.com/
Step by step and from scratch. What @doubaokun did, is ethically questionable and completely reckless, but also not tragic. So, the world won't end and it should not stop Swoole official project to be continued as it is. Code and performance is what matters to its users.
I understand that Bruce feels overwhelmed with everything, threatened and attacked by the majority here but a separate fork and "coup" is definitely not a way to go here with such project where many community projects depend on this extension. I would expect a lot more patience and understanding but it is just not the case at the moment. This will of course be improved in the future one day, hopefully. Until then, I don't see any reason why Swoole couldn't continue where it was.
Well, I don't know. For now, Swoole extension is still installed on my side as it is and it works fine. Just that whole temporary part (Slack, Twitter, co.uk website) is "gone". :shrug:
As far as PECL is concerned, PHP had many cases of similar extensions for the same purpose in the past, so that shouldn't be too much of a problem.
Also, link here should be clarified and confirmed and synced: https://www.php.net/manual/en/intro.swoole.php
deminy
commented
3 years ago Hello @petk . Again, thank you for your support and contributions to the Swoole project.
In the last couple of years, Swoole is a hottest PHP project in China, and it has been the dominant topic in the biggest PHP conferences in China. However, Swoole has been struggling to convince the broader PHP community. There are many things we want to do better, but we are a small team. We hope more open source contributors can join the project, and we are working on inviting international contributors soon.
We are looking forward to contributing back more to the PHP community. Thanks.
Hey i just saw this comment :
https://github.com/heroku/heroku-buildpack-php/issues/297
Can you elaborate what does exactly that part of code ?