State of the project? #822
Comments
|
@jirikuncar do you have any info on this? |
|
@mattupstate First of all, thanks a lot for an extremely useful library! We use your library a lot in Invenio and are grateful for all the work you have put into the project. However, in the past 4.5 years there have been only two releases (v1.7.5 and v.3.0.0). There's a major bunch of features and bugfixes waiting to be released. Flask-Security is a critical part of our authentication system since 2015, and we simply cannot risk relying on a critical security library with so few releases. I fully understand that we all have changing priorities, and as already said we're very grateful for all the time you've already put in the project. However, I would like to open up a conversation about how others in the community can help take over Flask-Security, so that we keep a great product moving forward. First of all, I would suggest that both the GitHub project as well as PyPI package is transferred to a new maintainer. I would be happy to take on the responsibility to host the GitHub project as part of http://github.com/inveniosoftware/ as well as the PyPI package. CERN is behind inveniosoftware, so we can provide a stable home independent of individual people. I would also be happy to take on the responsibility of finding maintainers who can help out, as well as take on part of the maintenance of the library. Unfortunately, we cannot take on full responsibility for all maintenance. I'm also happy to see the project transferred to anyone else who can maintain it. What I wouldn't like to see, is that this project dies or gets forked. I think however both a very real risks unless something happens soon to the project. For once, I don't see how we can continue relying on Flask-Security unless the maintenance issue gets fixed. |
|
Thank you all for your interest in the library! The priorities have changed 👨👧 and I was not very active in open-source projects. I would still like to contribute from time to time and share part of the maintenance burden. However, it is too much for a single "active" maintainer to do the job. For example, I can't (should not) merge my own PRs without other maintainer's review. To move forward, I would suggest that @mattupstate shares admin rights to the project (including PyPI and ReadTheDocs) with @lnielsen. The next step would be to open a call for new maintainers from different organisations so we can ensure that this critical extension is kept up-to-date. I would be happy with moving later the project to @inveniosoftware or creating flask-security organisation as a sign that the project doesn't rely on a single person. Cheers! 🍻 |
|
Hi everyone! @lnielsen Thanks for the kind words. I can't tell you just how grateful I am of you and the community of Flask-Security users out there that have made the project what it is today. And yes, it's sadly true, the project has not received the attention it needs if it's to continue to reliably serve the community. If I may say, when I started the project I had no idea what I was in for when becoming an open source author and maintainer. Hell, I barely knew what I was doing when it came to implementing user authentication featuers for web applications. However, it was clear to me after seeing some projects that used Spring Security/Social (Java) and Devise/Omniauth (Ruby/Rails) that the Flask community could benefit from a similar tool. Even so, the project was primarily a means for me to get better at Python development, something I had only started a year before I released the project. Development of the project progressed faster than I ever could have expected. Luckily I had a lot of spare time to dedicate. My employers we're also supportive of me being active on GitHub during work hours. As a solo author/maintiner, the situation couldn't have been much better. I can rememeber when I discovered there was a However, my personal circumstances changed dramatically after moving to my current employer and subsequently becoming a father. All my spare time disappeared and I stopped writing Python on a regular basis. As time passed I started to feel rather guilty about not giving it (and my other extensions) any attention. Guilt, unfortunately, doesn't motivate me to try harder. Fortunately @jirikuncar and @jonafato came to the rescue and helped maintain the project in my absence. Without their help we wouldn't be here today. I really can't thank them enough for their help. And now with @jirikuncar becoming a father himself and having less time to help as well, I think it's only appropriate that the project find a new home base. I think the proposal to immediately grant @lnielsen admin privileges to the repository, PyPi and ReadTheDocs is the appropriate first step. I'm also not opposed to the repository moving under an organization at some point in the future. I would leave most of those logistics up to @lnielsen after accepting the immediate proposal. @lnielsen do you accept the proposal to be granted the required privileges on GitHub, PyPi and ReadTheDocs and become a maintiner of the project with the goal of eventually moving it under a GitHub organization? |
|
Maybe moving the project to the pallets organization (werkzeug, flask, flask-sqlalchemy) could be an option too instead of creating a new organization. |
|
The Pallets org is not responsible for any opinionated Flask extensions, so I don't see much reason to bother them with that idea. |
|
@mattupstate Yep, I accept the proposal. Just to be clear though, I'm also a father with a 2 1/2 year-old with limited time, but the more maintainers to share the load the better. |
|
@lnielsen what is your username for readthedocs.org and pypi.org? |
|
At readthedocs it's |
|
I've added you to each service. |
|
This is awesome and thanks to all. I am hoping to get more involved - I have a fork of flask-security that I have been working on primarily around enabling non-form based usage (such as SPA style UIs based on vue, angular, etc). |
|
As both a learning experience and to jump start things - I decided to fork and put out 2 small releases that pick up many of the long-outstanding bugs (and incorporate the wonderful additions in translations etc). You can see my fork at: it is available on pypi: Oh - who am I? https://www.linkedin.com/in/jwagjwag/ |
|
Thanks Chris! I just installed your version. |
ghost
mentioned this issue
|
@lnielsen @jirikuncar can one of you already give an update regarding the project status and possible timeframe for release 3.1.0? Thanks! :) |
|
I have put up 3.2.0rc3 at: It contains almost all of the merged PR in develop branch. In addition, it has support for json and single-page applications - including a formal API spec. It would be great to get some additional testing. |
|
Any timeframe as to when 3.1.0 will be released? |
|
@brettkromkamp - consider: https://pypi.org/project/Flask-Security-Too/ |
|
@jwag956 Thanks! I will drop Flask-Security-Too into my application and see how it goes (and file any issues over there if I come across anything unexpected). |
|
AFAIK, PSF is happy to help projects with governance in the form that a project doesn't need to bother creating its own legal organization. Maybe, it's a possible way to consider. |
|
@jwag956 Thank you for your work! Did you consider becoming the lead developer / maintainer of Flask-Security ? |
|
You are welcome. it's been fun. |
|
@mattupstate @lnielsen @jirikuncar any updates on this? |
|
@jwag956 Great work! Keep it up! However, the problem is that moving the project from the maintenance by three random people to the maintenance by another single person doesn't look like something more promising than before. No personal offense intended. It seems much better to bring such an influential project under some organized umbrella before spreading its forks around. |
|
Fair point (and no offense taken) - however I would argue that this is how most smaller open source packages are maintained - someone starts (in this case Matt) and puts in huge amounts of work. Then as it gains acceptance, others start providing PRs and commits - still huge effort required by the 'creator'. Then - if it still has a strong following, it gains other maintainers. Ultimately it either thrives and continues to add/rotate maintainers, or dies. The Flask eco-system had (and has) a large following - but if you look around most of the major ecosystem pieces have languished for years - with Pallets getting Werkzeug and Flask back on the rails (very very recently) perhaps there will be renewed interest in other flask extensions.... or not - might be that the flask ecosystem is too rooted in decade old concepts. Not sure creating a github organization for one repo makes much sense. Right now I am focusing on getting flask-security relevant again. |
|
@jwag956 the biggest problem I'm aware of is that there are a lot of tutorials, blog posts, and references on StackOverflow regarding Flask-Security and every possible link points to this repo at the moment. |
|
@lig That could possibly be at least partially resolved by placing a link to the new home at the top of the README in this Repo. Although I still think it would be better if ownership could be properly transferred. |
|
I don’t get why @jwag956 doesn‘t get added as additional contributor. He‘s the only one actually being active and could spread new motivation to the others. |
|
@mark-schulze I think right now the problem (if I understand it) is that the current maintainers are not responsive. I agree it would be great if @jwag956 could be added, but I worry that the more he puts in, the harder it will be for a transition to occur, because it will require more review from the current official maintainers. |
|
Thanks for all the encouragement and suggestions. As I mentioned a week or so ago - I attempted that route and there has simply been zero response. It isn't quite as simple as being added as a contributor since presumably the current group would still control releases, reviews etc - and so far - there is no indication that any of them have the time. I am trying to tread lightly here because we owe all of them - especially Matt a huge debt of (at least) gratitude for the incredible amount of work they have all put in over the years. However - let's be honest - a first measure of any open source project's viability is whether basic CI is passing - Flask-Security hasn't passed CI in 5 months - even with multiple contributors offering PRs. From my perspective - an ideal scenario would be that Matt the the others simply acknowledge that they don't have the time nor inclination to continue working on Flask-Security and turn over the PyPI and ReadTheDocs project name 'Flask-Security' to my fork. A readme pointing from current repo to mine would be nice as well. Of course if any one them WANTED to contribute, review, etc - awesome! At that point the continued success for Flask-Security would rest on others stepping up to help me and at least help by reviewing code... |
|
Monitored this thread from the beginning and I am not confident, at this point, that this project will get the love it needs. @jwag956 I'm switching to your fork. |
|
Came to this repo thought multitude of references on StackOverflow, seems like this project has been abandoned. |
|
While I think it would be sensible for such a project to be not dependend on a single person. A single person actively working on this is a lot better than having it abandoned. With all due respect for the original contributers: At this point whoever is having access to this github project and the related pypi project is doing major harm to the Flask eco-system:
|
|
I had a discussion on Twitter with Matt about this. The upshot seems to be: at this point, there are no plans to add maintainers to this project. And if sufficient people move to a particular fork, Matt is willing to mention in the README that new adopters should migrate. I don't personally understand why Matt isn't willing to add maintainers to this project, but it's his choice to do so and we have to accept that. Given this conversation, I'll be switching to the @jwag956's fork as well. I hope Chris will be assiduous about cultivating a maintainer stable to prevent his project sharing this fate. |
|
Thanks @nk9 .. appreciate the update. |
As seen in pallets-eco/flask-security#822 flask-security became abandonware. A fork mantained by jwag956 seems to handle the project's continuity. I took a look in the source code and it seems to be properly maintained.
There haven't been much activity on this repository for past few months and a lot of open issues that have not been answered, is this project being abandoned or put on hold by the maintainers?
There also seem to be problems with documentation of some features.
The text was updated successfully, but these errors were encountered: