@bmarinov short answer: yes.
longer answer:
Yes, replacing v2/v3 is the way to go, but please beware it _WILL_ break compatibility. And because of this, this is your chance to change/fix any existing/newly introduced APIs , so please let me know if you have any
And lastly, thank you!
Just a thought, but would adding something like this in the README of a FOSS project fly? I don't expect to actually get paid, but I'd like to encourage contributing back while being as non-obtrusive about it for actual users. #FOSS
https://gist.github.com/lestrrat/9ea36c813eebb9bc619d5fadada97483
@kkarhan Yeah, in my case I routinely update the main library, it's just that the dependencies don't need any change.
I think the worst part of this story is that the reporter (at least claims to) work at RedHat.
@fbievan the maintainer is me, the same person also maintaining the main library (jwx)
So, honestly. Do you consider a library _LESS SECURE_ because its underlying libraries have not received updates in the last two years? #golang #foss #jwt #jwx
https://github.com/lestrrat-go/jwx/issues/1146
If said libraries have tons of unhandled issues, sure. But I have fixed whatever that was reported, and other than that they haven't received any bug reports.
If anything, I'd argue that I was able to isolate very specific pieces of non-essential logic, and churned out very stable set of libraries
Released https://github.com/lestrrat-go/jwx/releases/tag/v2.1.0
Because there's a minor breaking change in jwt.ParseRequest(), the new release of http://github.com/lestrrat-go/jwx is bumping its minor version from v2.0.21 to v2.1.0 #golang #jwt #jwx
maybe this just the OCD in me, but I just don't understand how FOSS projects can live with issues and PRs open for years. I personally decided a while back to let a bot close any dangling issues/PRs after 2 weeks. I just don't think they cause more harm by burying important issues and that they do not add any value by staying open.
just somehhing I think every time I see other people's projects.
Anyways, I think my point is that FOSS goes both ways: Users get to to use our code for free, we get to decide what to do with it, including calling it quits. And when push comes to shove, our own health and what not should come first. Us developers should be allowed to freely quit supporting our own FOSS projects.
Of course there will be people giving you shit for "not caring" about the public cause and what not, but seriously, those who accuse you of shit like that will never be willing to pay for the price of volunteer maintenance.
We should NOT be held accountable for calling it quits. I could understand it if people are complaining because you changed the license to something that only rich companies could use to mitigate the situation, but if you archive it, the source code is still there.
Giving co-maintainer to a person you barely know is a no-no, as you would be giving them your seal of approval. Archiving it and declaration of you being going kaput. And if they need your software, those who care can take , including doing the validation for who should be the maintainer (of course, more than likely nobody will raise their hands, but...). Otherwise they will probably just write a replacement.
I think this approach is much better than handing your trust on a potential bad actor.
reading up on xz saga and how the perpetrator forced himself to be a committer to the project --- I think as FOSS developers we should not exclude letting go of projects when we can no longer support it responsibly.
And by letting go, I mean archive it, leaving it in the hands of the community (and people with more willpower than you withered self) to Do The Right thing.
ビルドプレートの大きさに悩まされている… もっとでかいパーツをプリントしたい…
.oO(https://www.elegoo.com/en-jp/pages/elegoo-orangestorm-giga)
いやいや、何を考えているんだ俺は。お金の問題以前に物理的にスペースがない…
Protip: DON'T just try to make security related code work without knowing what you are doing. At the very least, learn to read the relevant RFCs when you encounter problems, at least to a point where you understand that you _don't_ understand some specific parts.
3Dプリンタで簡易版機織り機を作ってたんだけど、顧客(妻)の要望を聞く前にオーバーエンジニアリングしてしまって、よくよく話を聞いたら俺のスーパークールな可変機構が全くの無意味だとわかってやる気を失い一回休みなう。
I just saw code that mixes github.com/lestrrat-go/jwx, github.com/golang-jwt/jwt/v3, and github.com/go-jose/go-jose/v4.
This was on a fairly large codebase. Wh.. why? they are such similar tools, I don't understand why you would need to mix them.
