Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is this package still active? #494

Open
catsalive opened this issue Jan 18, 2019 · 21 comments

Comments

@catsalive
Copy link

commented Jan 18, 2019

There's an alpha release for this package from 9 months ago, is this package still active?

@dead-horse

This comment has been minimized.

Copy link
Contributor

commented Jan 24, 2019

@alexmingoia can we transfer this project to https://github.com/koajs and we can maintain it together?

@XadillaX XadillaX referenced this issue Jan 24, 2019
3 of 3 tasks complete
@ZijianHe

This comment has been minimized.

Copy link
Owner

commented Jan 29, 2019

Hi all, I've taken over the project and will start maintaining it after 11st February.

@jcao219

This comment has been minimized.

Copy link

commented Jan 29, 2019

Thank you Zijian.

@yi-ge

This comment has been minimized.

Copy link

commented Jan 30, 2019

Zijian,希望此项目越来越好。💪

@catsalive

This comment has been minimized.

Copy link
Author

commented Jan 30, 2019

Thank you sir!

@imcotton

This comment has been minimized.

Copy link

commented Feb 2, 2019

Hi all, I've taken over the project and will start maintaining it after 11st February.

@ZijianHe first of all thank you for taking the maintaining responsibility, some questions:

  1. Will you going to have the total control over the NPM publishing? (i.e.: npm owner ls koa-router)
  2. Why it's not ending under the Koa.js org?
  3. Who are you?
@fl0w

This comment has been minimized.

Copy link

commented Feb 6, 2019

@alexmingoia Thank you for your work with this library, and a hearty welcome @ZijianHe!

With koa-router being a significant lib used in Koa's ecosystem @alexmingoia, I'm not a distrusting person at all but as responsibilities creep up I'd like to respectfully ask how you arrived at the decision to pass over the package to @ZijianHe?

From a security standpoint it is a bit hard to evaluate this based off of @ZijianHe's history. And sincerely, I'm trying really hard not to offend anyone but I felt the question had to be asked.

Edit My bad, I had completely missed the "for sale" commits, which I saw just now.

@rarkins

This comment has been minimized.

Copy link

commented Feb 13, 2019

@alexmingoia

This comment has been minimized.

Copy link
Collaborator

commented Feb 13, 2019

Let's set the record straight.

  • The Koa organization did not write, maintain, or ever help with this package. I wrote it. I maintained it, with help from people who reached out to me directly (and actually contributed code).
  • @ZijianHe offered to maintain it, and I agreed to let him maintain it. I know him, and my personal life is not anyone's business. I don't have a relationship to the koa organization. I don't know them. Furthermore, @niftylettuce has repeatedly in emails to npm asserted that ZijianHe is Chinese, despite this having nothing to do with anything, or even knowing whether ZijianHe lives in China. Chinese developers have contributed more to this repository than anyone from the Koa organization. This kind of racial scaremongering or guilt by association is not acceptable. Its offensive. Let's be very clear: Developers from any ethnicity and nationality are welcome to contribute to open source.
@crobinson42

This comment has been minimized.

Copy link

commented Feb 13, 2019

Roger that @alexmingoia - just because you think ONE person is discriminating doesn't mean the rest of the concerned people who adopted this library of the years of it growing in REPUTATION is not a valid security concern and that everyone is racially motivated in their concern. ENOUGH SAID on that.

I'd like to thank you for your effort and the wonderful package, koa-router. When any npm package grows in downloads, it's building a reputation. That reputation was built on you maintaining the package. When a new maintainer comes in after you advertise "selling" the package, it's immediately a concern that someone with zero reputation then takes over a package that so many have and are trusting based on the previous reputation - in short, you cannot buy reputation.

So, I think the record is this: you sold a library and the new maintainer has no reputation in OSS, at least that has been published or is available to the public OSS community.

WE ARE SIMPLY CONCERNED - incidents like the event-streams maintainer injecting malicious code into a very popular package are what cause these types of concerns. https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

@niftylettuce

This comment has been minimized.

Copy link

commented Feb 13, 2019

Someone may want to lock this thread for discussion.

Also to set the record straight since @alexmingoia is not telling the truth.

To clarify things for the community:

  1. No, they (Chinese developers) have not contributed more. You revoked access from @jbielick who was #2 contributor to the package behind you. He messaged me in Slack today that he received zero notification from you and simply received a notification from NPM that he was removed access from the package. You removed his access completely from NPM.

  2. My email to you prefaced the concern of the China-based user with "completely unknown" and "To an outsider". Here's the original email to clarify it for people viewing this from an incorrect context:

Hi Alex,

Thanks for your work in the open source community.

I am curious, since the project is open source, if you will be transparent as to the transfer of the koa-router repository and NPM ownership to a completely unknown user "ZijianHe" to the community.  Was there a monetary transaction?  Why did you choose him?  Why not transfer to the KOA org?

To an outsider, this is all a huge red flag, as an unknown Chinese GitHub user suddenly has full control of a NPM package with 130K weekly downloads and is used by major corporations.
  1. I did not "repeatedly" assert that. I stated the word "Chinese" one time. One time is not "repeatedly". I would share with the community your response to my message, but I am not going to do so.
@int64ago

This comment has been minimized.

Copy link

commented Feb 14, 2019

The transaction should be agreed by all contributors!

@ZijianHe

This comment has been minimized.

Copy link
Owner

commented Feb 14, 2019

Hi all. I am the one who took over the repo. Thanks for some of you guys reaching out.

I haven't been contributing to open source projects before so I don't have too much public information on my Github account.

Thus I think it would be a good opportunity for me to join the open source community by maintaining the koa-router project.

I will start reviewing PRs and getting rid of issues after I finish going thru the code.

Any suggestions are welcome

@niftylettuce

This comment has been minimized.

Copy link

commented Feb 14, 2019

@crobinson42

This comment has been minimized.

Copy link

commented Feb 14, 2019

@ZijianHe Hello and welcome! What projects are you using koa-router in, if you're willing to share? What peaked your interested in purchasing koa-router vs. simply contributing via PR's or even other libraries?

@ZijianHe

This comment has been minimized.

Copy link
Owner

commented Feb 14, 2019

@crobinson42 I use it with koa like most people. My projects are commercial so it would not be proper to share the code publicly.

It sometimes could be passive to simply contributing via PR to whatever repos. One can see for this repo there are 15 PRs lying there for very long time and the contributors must be very upset.

Purchasing it is just a way to put myself to an active position to make it easier to push things forward

@ljmerza

This comment has been minimized.

Copy link

commented Feb 14, 2019

Thank you for your initiative to push this repo forward. I'm sure you're getting a lot of hate but any person taking such an important project over would have. I think it came down to how quietly and quickly this transaction tried to be done instead of out in the open ... On an open source platform of all things.

@jdrydn

This comment has been minimized.

Copy link

commented Feb 14, 2019

Immature chinese developer comments aside (sigh 🤦‍♂️), the fact the project was "sold" to someone with a quiet public profile, no introduction from the original author, an offer to add it to the @koajs organisation being ignored not discussed and contributor push access being revoked without warning... none of these are nowhere near acceptable for a widely used 5-year-old open-source dependency 🙌

@HcgRandon

This comment has been minimized.

Copy link

commented Feb 15, 2019

All of you complaining that this was unacceptable is laughable. Do you pay alexmingoia's bills?

You are using a open source project, provided as is, by someone in their free time. Stop installing random dependencies for every little thing and you won't have to deal with these kind of issues.

That being said. Alex could of handled this much more delicately. While I don't use this package myself it would of been nice to of seen a discussion between contributors or maybe even adding it to the koajs org as stated by jdrydn.

The project being sold to a user with a default profile picture definitely feels a little sketchy.

@niftylettuce

This comment has been minimized.

Copy link

commented Feb 15, 2019

@ZijianHe

This comment has been minimized.

Copy link
Owner

commented Feb 15, 2019

locked as suggested

Repository owner locked as resolved and limited conversation to collaborators Feb 15, 2019
fl0w referenced this issue in koajs/router Jun 24, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
You can’t perform that action at this time.