Django-guardian welcomes your support #603
Comments
ad-m
changed the title
|
Hi, I’m new here. Let me know how I can help. |
|
Might be worth pinning this issue for more visibility. |
|
@johnthagen I didn't know you could do that. Thanks. Now done. @kiran-capoor94 I noted that nobody replied to your request, at least not here. If you are still interested in helping, please see the list in the first message. In particular, there are 16 pull requests open at present. Help reviewing these and fixing them up to a acceptable standard appreciated. |
|
Hey 👋 , I would like to help around where I can too. Picking up a few issues and contributing code for now. |
Thanks, will review. |
|
I would like to help with some problems. i am currently using django-guardian on a project |
|
@melvyn-sopacua , there are 13 pull requests open at present. Help reviewing these and fixing them up to a acceptable standard appreciated. Notes that you don't see problems are also support. There are also open development issues, e.g. #694. Everybody can take it and provide pull requests to solve it. |
|
@ad-m Maybe you can consider jazzband.co. they are almost a django community. |
|
@ad-m would you like to add me as a maintainer? Maybe give me pypi access too... I could at least triage some of the issue backlog, merge a few PRs and help get a new release out supporting django 3.2? |
|
Thanks for reporting. I am glad that you want to support the project. I don't remember you, apart from the last review unfortunately. I propose to start in small steps with PR reviews. In the case of GitHub, anyone can publish reviews. After a certain period of cooperation, we will be able to grant special powers. |
|
Yes, but we may need an active maintainer who is familiar with django. Join jazzband.co is really easy for this. |
Been around since 2018 and had a lot of use of guardian with various use cases.
I think I'd second @RainshawGao - joining jazzband will take a lot of effort off your shoulders, ensure that experienced people are able to help with maintenance tasks, and save vetting people yourself (which I understand why you feel the need). Also: it's worth noting that we can't review PRs unless we're maintainers. The best we can do is chuck in a few comments into the PR conversation which is helpful but not an actual review. |
Of course it is. The only difference is that if a maintainer adds a There's no difference between a review from a maintainer or anybody else if it contains proper feedback instead of just a |
|
https://github.com/jazzband/django-authority it less maintained than django-guardian as far as I can tell - and that's already a jazzband project |
|
Are there any active maintainers of this project at the moment? Is there any planned upcoming release? |
|
Such a good project has made up the short board of django authority management, but no one actually maintains it. It is a real pity. I suggest that contact the django official to see if there are resources to support it. |
|
Hi all, checking in here to see if there is anything that I can do to help move this project to jazzband or getting in touch with Django official. |
|
Just a note, Jazzband is not necessarily a panacea to help with maintenance. Over at |
|
Are there any trusted forks of this project that are maintained ? |
|
The problem is the lack of interested people willing to contribute. Not the lack of forks. As per above post on moving to Jazzband, while maybe a good move, it isn't going to magically fix that. Personally, I am only maintaining one project that uses Django, it doesn't use django-guardian, and is not likely to do so anytime in the foreseeable future. So count me out :-) |
|
@brianmay if you have commit access and there is nobody maintaining this, can you write that this project is not maintained in the readme to add some more visibility ? This is still the top recommendation for django permissions despite not being maintained. It seems like there are users that could be nudged into helping. |
|
Hi @ad-m and @brianmay just touching in here - I'm still a user of django-guardian and as I said above am still very much willing to participate, as I really don't want the project to die. Long time and experience has taught me that contributing by commenting on, updating or even creating PRs isn't a good use of extremely valuable time unless:
Generally OSS projects fail for one of three reasons
I feel like there's a mix of all three here but would be interested to hear what your thoughts are? These reasons can be fixed by
Suggestions
Solutions (1) and (3) will require ownership-level permissions on both GitHub and PyPi so that we have the agency required to run the project well. About OctueYou should be incredibly reluctant to give maintenance/ownership privilege to anyone in light of the increasing number of package ecosystem based attacks (and when you're running an app explicitly about security, even more so!). So please do your research first into who people are (you can see my linkedIn here!)to gain a level of confidence (or at least a name you can give to the FBI if things go south!!!) and I'm happy to have a few calls to look at a roadmap for what might be done, and build confidence. Octue (octue.com) is an Open-Source Software company (not technically a nonprofit but we operate as one) founded in 2013. Our mission is to help scientists and engineers work more effectively with data, and we predominantly work in the renewables and climate space. We work with the International Energy Agency and the International Electrotechnical Commision on matters related to data standardisation and open source. We currently use django-guardian in multiple applications and we sponsor maintenance on the django-guardian integration for django-unfold. You can see on github.com/octue that we maintain a number of open-source projects which we fund on a consultancy model (working mostly with engineering companies and universities working in the wind sector), and we're working toward sustainable solutions for funding our OSS efforts. Of particular relevance will be our django-gcp project which is most like django-guardian, albeit many fewer stars! Next StepsIf you'd like help in any of the ways suggested (or a mixture, or none but you have another idea of how we could help) please do book a time to talk about it. Whilst thinking about and googling around this subject today I came across this useful article. Whether me or other people, it's a really useful guide. |
|
I am somewhat conflicted. I got access to this project by accident - IIRC I complained once to often about problems packaging it for Debian. Which was a dependency of another Python package that I used at the time. As a result, I have never been very interested in it, although I did give releases for a while. I have not looked at it for years. As a result, I am not familiar at all with the code base. I am not sure I am a good candidate for establishing trust for a future owner. For that matter, just because I have write access to the project, and have had write access for years, does that you really mean you can trust me? Even if you can trust me, can you trust me to keep my account secure? Can I really be trusted to hand this other to somebody else who can be trusted? There are currently 3 admins + 1 with write access. Do we trust all of these people? Really? The recent XZ attack has shown that attackers are prepared to spend years generating good commits in order to to establish trust before implementing malicious code. But would they really gain anything from attacking this project? Can't affect OS level systems. Maybe if there was a website the attacker knew used django-guardian, and they were targetting that website. But risky, while spending time establishing trust, the website could be changed not to rely on django-guardian anymore. With django-guardian in limbo for so long, this would be completely justified. It is perhaps worth noting, that I imagine if one python package had malicious code, with Python's runtime model, it would be easy for it to monkey patch other Python code. Can you do this without it being obvious? Maybe with obfuscated code. The general idea of having the "django-guardian" organisation is that it is possible to transfer ownership to a new owner. The advantage of this is that this happens transparently, no need for users to worry. The disadvantage of this is that this happens transparently, users may not even be aware that ownership has changed. There is no opportunity for users to review changes since the ownership has changed. i.e. the exact same advantage is the serious disadvantage also. Even if users were arare that the ownership had changed, would they do any checks? We could make it easier by providing a link to https://github.com/django-guardian/django-guardian/compare with the versions filled in. Users would need to check these are the correct versions. But you could add information to the top of Maybe I am dreaming, but I am more and more inclined to think for a project like django-guardian, users really need to be doing a diff of every single update. Maybe tooling needs to be improved to make this easier. That way:
Having said all of the above, I am inclined to think that a dead project is perhaps the worst possible compromise, security wise. If somebody does insert malicious code, there isn't going to be anybody to notice. How about:
In maybe a years time (for example), we can review, and upgrade/downgrade as required. |
In recent months, the project did not have new releases. This was due to the lack of time on the part of the current project maintainer. Even I myself do not have time, and I do not even use django-guardian in any actively developed project.
This situation is not good for the project. It is necessary to devote some time for:
Who has a certain amount of time to carry out these tasks and lead the project further?
The text was updated successfully, but these errors were encountered: