This crate is unmaintained

[Pr0methean]

In accordance with https://github.com/rustsec/advisory-db/blob/main/HOWTO_UNMAINTAINED.md, please create an advisory to indicate that this crate is unmaintained. If this isn't done by 2024-07-16 and I don't see any maintenance activity by then, I will create it myself. Affected users should upgrade to https://crates.io/crates/zip_next.

[a1phyr]

Hi @Plecra ! If you need help maintaining this crate, I can give a hand from time to time.

[Plecra]

zip-next looks healthy, and I'm in no hurry to revive this crate if @Pr0methean is going to be able to keep it going :grin:. In its current state, zip should get unmaintained status.

Before that though - do you want to move the zip-next implementation over to the zip name? My health is only getting worse and I don't know when I'll be in a state to return to it. (I appreciate your offer a1phyr, but your effort might be better directed towards zip-next haha)

[Pr0methean]

Sure, I'd be glad to take over the zip name and make zip-next a re-export.

On Thu, Apr 18, 2024, 06:12 Plecra @.***> wrote:

zip-next looks healthy, and I'm in no hurry to revive this crate if @Pr0methean https://github.com/Pr0methean is going to be able to keep it going 😁. In its current state, zip should get unmaintained status.

Before that though - do you want to move the zip-next implementation over to the zip name? My health is only getting worse and I don't know when I'll be in a state to return to it. (I appreciate your offer a1phyr, but your effort might be better directed towards zip-next haha)

— Reply to this email directly, view it on GitHub https://github.com/zip-rs/zip/issues/446#issuecomment-2063837388, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABF3NBPWYDPRFF6WWPTOTR3Y57BERAVCNFSM6AAAAABGMQOOMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANRTHAZTOMZYHA . You are receiving this because you were mentioned.Message ID: @.***>

[Pr0methean]

@Plecra Have you added me as an owner to zip? If so, I'll publish zip-next under the name zip within 24 hours, then make zip-next a wrapper and PR the RustSec advisory about zip-next within 24 hours of that. I believe the command to add me will be cargo owner --add Pr0methean, based on the following:

hennickc@f8ffc25e7f6e zip-next % cargo owner --list zip
    Updating crates.io index
mvdnes (Mathijs van de Nes)
Plecra
hennickc@f8ffc25e7f6e zip-next % cargo owner --list zip-next 
    Updating crates.io index
Pr0methean (Chris Hennick)

[Plecra]

That should be done now :)

[Pr0methean]

Published as zip, made zip_next a wrapper, and opened https://github.com/rustsec/advisory-db/pull/1949 to advise of the name change.

[Pr0methean]

@Plecra May I please be an admin on this repo, so I can close issues and PRs that are addressed in mine, and archive it once none remain?

[djc]

I definitely got confused by having two seemingly active repos -- would be nice to get this archived. Maybe it makes sense to move Pr0methean/zip into zip-rs and rename this as zip-rs/zip-old?

[Plecra]

I'll leave that up to @Pr0methean

[Pr0methean]

Renaming the new repo to zip-rs/zip would cause old issue and PR links to point to the wrong item. But I'll rename this repo to zip-old once @Plecra makes me an admin.

I also agree that this repo should be archived eventually, but I'd like to at least triage the open issues and PRs first, copy over the ones that are still valid, and close them (another reason I'll need to be a repo admin). If the repo is archived with open issues and PRs, they'll become stuck open.

[RouHim]

Smells like xz, just kidding ;)

[TheBlueMatt]

New maintainer pushing their way in on a strictly algorithm crate that doesn't really need almost any maintenance to keep going, and then pushing code directly to master with no review, nice.

[djc]

Smells like xz, just kidding ;)

You joke, but IMO this is a scenario where it might make sense to ask @Pr0methean (with no ill intent) to declare/demonstrate somehow why they're trustworthy to take over this pretty popular crate name, and/or to explore other options. This moved pretty quickly.

[tnull]

Smells like xz, just kidding ;)

To be honest, this isn't super funny. If the xz case should have taught us one thing, it's that you shouldn't handle transfer of crate ownership like this, especially if many crates in the ecosystem depend on it.

[Pr0methean]

@djc I think my work on the fuzz tests speaks for itself.

And I have an incentive to keep going: I'm likely to be looking for a new job soon (should know for sure by the end of May), so I need an open-source project in my portfolio that people have actually heard of and submitted issues and PRs against. From that perspective, zip was the right crate at the right time.

[NobodyXu]

Yeah, but maintainers are all busy and nobody volunteer to step up as new maintainers until now 😂

You would expect crates like this to get more attention, or even move into rust-lang.

[Pr0methean]

Also keep in mind that I'll be glad to work with another maintainer if and when one shows up.

[Pr0methean]

@Plecra Today I found out about GitHub's merge-queue feature (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue). It seems like it would make it much easier to contribute a pull request when there are already PRs open. It'd also let us limit the backlog of CI workflows, which may be necessary to handle a surge in PRs given that I'm running fuzz in CI.)

But a merge queue requires the repository to belong to an organization. What would you say to the idea of my becoming an org admin and transfering my repo to zip-rs/zip2, while this one becomes zip-rs/zip1? (If we're using a merge queue, we probably shouldn't allow ourselves to push to master without a PR, and instead just use Auto-Merge on our own PRs. We should be able to enforce GPG signing if we use the "squash and merge" or "merge commit" method.)

[jayvdb]

According to https://github.com/zip-rs/zip/graphs/contributors , @Pr0methean has had zero contributions to this original project. Is that right?

One of the major reasons for the "xz" hack was the new owner was actually anonymous, using the name Jia Tan (@JiaT75). I've done a bit of googling, and @Pr0methean has a more normal digital footprint than @JiaT75 did. Still, two hours ago I sent an email to the unverified email address in this commit to check that the identities line up. No response yet. Apologies Chris, but we need to check who is taking over projects/orgs that have a lot of dependencies, and very high number of downloads per day.

[Pr0methean]

I responded from that email address once I saw your latest comment; I wasn't watching it because it's a work email and I'm on leave.

[RouHim]

Smells like xz, just kidding ;)

You joke, but IMO this is a scenario where it might make sense to ask @Pr0methean (with no ill intent) to declare/demonstrate somehow why they're trustworthy to take over this pretty popular crate name, and/or to explore other options. This moved pretty quickly.

In fact, it was a joking comment intended to make people aware of the situation.

I'm going to freeze my zip dependencies until this situation is clear.

Also this passive aggressive first post that deliberately builds up pressure on the maintainer. Exactly the same approach as xz. I don't want to jump to conclusions, but it all seems a bit strange.

[jayvdb]

Response received. And with that I can verify Chris' linkedin.

[joaommartins]

Response received. And with that I can verify Chris' linkedin.

And how do we know you're not working with them? 🤔

EDIT: This is a joke, I work with John.

[RouHim]

Ok, if that's the case, it was a really badly requested and executed change of ownership in view of the current situation.

[liningpan]

It would be really help to document this change and mark this repo as unmaintained / point to the new repo. It's kind of scary to see crates.io suddenly points to a different location.

[x87]

I was considering using this crate in some of my projects, but in the view of recent events this sudden ownership transfer gives me zero confidence. Especially since zip is also a highly dependent on archive library. I'll pass 👋

[RouHim]

I really hope this ends well:

[Plecra]

This should be viewed by dependents as an ownership change, yes. If anyone has requests for making the transfer easier to manage, they're welcome, but I would request no more fly-by comments on this issue. As far as I'm concerned, @Pr0methean has done good work on zip-next, and is handling the transfer as I would hope (In particular, all new changes to zip are under a new major version - cargo won't be implicitly upgrading anyone).

There is some good work in old PRs and I'm happy to see that you'd like to address them promethean 🙂 I've made you an owner - sorry for the delay!

(I really appreciate your verification there @jayvdb w.r.t. contributions on this project, I've been mostly unreachable for more than a year)

[Pr0methean]

@a1phyr In case you'd still like to help, I've moved as many as possible of this repo's open PRs into https://github.com/zip-rs/zip2/pulls and invited you as an org member. After accepting, you should be able to push commits to the PRs that didn't successfully build after merging (marked with X). NB: You may yet be able to convince me that some of these PRs aren't worth the trouble to merge at all; I've so far erred on the side of giving them the benefit of the doubt, although I outright declined several that had already become redundant, and one (https://github.com/zip-rs/zip-old/pull/394) that I believe won't actually advance its goal of improving readability.

[Pr0methean]

@cosmicexplorer Same for you, since I noticed you were the author of several of the transferred PRs.

[Pr0methean]

@x87 What can I do to restore your confidence in https://github.com/zip-rs/zip2?

[CommanderStorm]

What can I do to restore your confidence in https://github.com/zip-rs/zip2?

Honestly, nothing. Trust in maintainers is currently at an all-time low (for good reason). I think that will recover. I see trust as a function over time, people will do semi-regular audits of the crate going forward. Nothing you need to worry or can do anything about ^^

But given that there are a lot of very cool performance improvements you are working on maybe consider doing a talk at one of the many Rust conferences. "Knowing" somebody is a real human should help with the trust problem.

I would put my money where my mouth is and sponsor you (the work you have put into this library definitively warrants that), but GitHub sponsors does only allow Credit cards => would you consider opening an open collective account for https://github.com/zip-rs or https://github.com/Pr0methean? 😉

[Pr0methean]

I would put my money where my mouth is and sponsor you (the work you have put into this library definitively warrants that), but GitHub sponsors does only allow Credit cards => would you consider opening an open collective account for https://github.com/zip-rs or https://github.com/Pr0methean?

Done; I've created https://opencollective.com/rust-compressed-archive-collec to represent us at Open Collective, and I've applied to have Open Collective Europe ASBL serve as the fiscal host (since they've been the only fiscal host with 501c3-equivalent tax treatment in the US since the Open Collective Foundation dissolved).

@a1phyr @Plecra I've invited you to be my co-administrators; will you accept?

[Pr0methean]

@cosmicexplorer Are you on opencollective.com? If so, I've invited you as well; if not, I'd like to invite you but will need an email address to reach you at. (You can commit it to https://github.com/zip-rs/PrivateInfo to make it visible to zip-rs members only.)