PEP 541 Request: Requests for projects owned by user etingof

[lextm]

Project to be claimed

See below

Your PyPI username

lextm: https://pypi.org/user/lextm

Reasons for the request

Grouping of 13 PEP 541 requests for projects:

pysnmp-mibs
pysnmp-apps
pysnmpcrypto
snmpfwd
snmpreceiver
snmpdiscoverer
snmpresponder
pysmi
snmpsim
snmpsim-data
snmpsim-control-plane
snmpclitools
pysnmp

All of them owned by the same user Ilya Etingof (@entingof). But sadly he passed away a few months ago, as announced here.

The packages are dependencies for many open source software or tools used by many of my clients and a broader community. I'd like to take ownership of the packages and keep them up-to-date.

I have contacted owners of several forks, but either no reply or they are not interested in taking over the ecosystem. I also contacted Yeray who has previously requested project ownership in ticket #1104.

Please add me as admin to the projects on PyPI and Test PyPI.

• pysnmp-mibs: https://pypi.org/project/pysnmp-mibs
• pysnmp-apps: https://pypi.org/project/pysnmp-apps
• pysnmpcrypto: https://pypi.org/project/pysnmpcrypto
• snmpfwd: https://pypi.org/project/snmpfwd
• snmpreceiver: https://pypi.org/project/snmpreceiver
• snmpdiscoverer: https://pypi.org/project/snmpdiscoverer
• snmpresponder: https://pypi.org/project/snmpresponder
• pysmi: https://pypi.org/project/pysmi
• snmpsim: https://pypi.org/project/snmpsim
• snmpsim-data: https://pypi.org/project/snmpsim-data
• snmpsim-control-plane: https://pypi.org/project/snmpsim-control-plane
• snmpclitools: https://pypi.org/project/snmpclitools
• pysnmp: https://pypi.org/project/pysnmp

Maintenance or replacement?

Replacement

Source code repositories URLs

Ilya's repos

https://github.com/etingof/pysnmp-mibs
https://github.com/etingof/pysnmp-apps
https://github.com/etingof/pysnmpcrypto
https://github.com/etingof/snmpfwd
https://github.com/etingof/snmpreceiver
https://github.com/etingof/snmpdiscoverer
https://github.com/etingof/snmpresponder
https://github.com/etingof/pysmi
https://github.com/etingof/snmpsim
https://github.com/etingof/snmpsim-data
https://github.com/etingof/snmpsim-control-plane
https://github.com/etingof/snmpclitools
https://github.com/etingof/pysnmp

new repos owned by me

https://github.com/lextudio/pysnmp-mibs
https://github.com/lextudio/pysnmp-apps
https://github.com/lextudio/pysnmpcrypto
https://github.com/lextudio/snmpfwd
https://github.com/lextudio/snmpreceiver
https://github.com/lextudio/snmpdiscoverer
https://github.com/lextudio/snmpresponder
https://github.com/lextudio/pysmi
https://github.com/lextudio/snmpsim
https://github.com/lextudio/snmpsim-data
https://github.com/lextudio/snmpsim-control-plane
https://github.com/lextudio/snmpclitools
https://github.com/lextudio/pysnmp

Contact and additional research

The previous owner Ilya Etingof (@entingof) passed away a few months ago, as announced here.

I already outlined the complete plan to take over the ownership of the entire ecosystem, as documented

etingof/pysnmp#429

and contacted parties that might be interested in owning the pieces,

• Splunk (limited interest in taking over all the pieces)
• inexio (no response)

Code of Conduct

• I agree to follow the PSF Code of Conduct

[lextm]

My team have published several new releases of lextudio/pysnmp and lextudio/snmpsim in the past two months.

Now this request long passed the six-week reachability phase, so any update on whether to move on to next phase?

[yeraydiazdiaz]

Hi @lextm, I don't feel comfortable simply assigning you as owner of all these projects. As explained by @tiran these are critical security projects so I'm going to defer to a @pypi/warehouse-admins.

[lextm]

@yeraydiazdiaz Thanks for at least responding with the progress.

[di]

inexio (no response)

I think this person (@Lostboi on GitHub) previously filed PEP 541 requests which have been aggregated here: #1104

[lextm]

@di I was writing about the company of inexio GmbH, which was once the sponsor of Ilya, and was trying to fork and maintain the documentation site as well as some repos that their products depend on, such as snmpsim.

I wrote to both support@inexio.net and info@inexio.net in Nov 2022, but never got a reply.

It is not clear to me what's the relationship between inexio GmbH and @Lostboi except what you might find under #802, where @Lostboi seemed to request package ownership on behalf of inexio.

[Lostboi]

Hey guys,
yes i was trying to get the ownership of the packages on behalf of inexio, since Ilya did not answer us anymore, and the project seems not to be continued.
So we decided to try to maintain the whole snmpsim project.
Sadly we didnt got the time to maintain the project further, and i am not working for inexio anymore.

I know that support@inexio.net does not answer because they dont know whom they could address the task.

Since Ilya has unfortunately passed away, I would think it best that the co-worker (e.g. https://github.com/tiran) of Ilya maintain the project as far as they can, because of the security relevant topics.

[lextm]

While this request is being further reviewed, I'd like to ask for clarity on how the security risks are being evaluated.

The original comment left by @tiran contains several key points,

1. "I'm confident that he will be back in the future". At that time June 2021, likely the original owner could be back. Now we know that's not the case.
2. "https://pypi.org/user/inexio was created less than a year ago". I wonder if that's a fair way to evaluate a company account. inexio GmbH was founded in 2007 according to file, but only started to publish PyPI packages in 2020. I am in a similar situation that I entered the SNMP business in 2008, founded my company in 2018, and just started to publish PyPI packages in 2020.
3. The claim of "packages are used in security critical infrastructure" is also interesting. While pyasn1 related packages might have bigger impact on security side as their consumer base is much larger, the packages listed here for pysnmp have much smaller impact. While "SNMP is typically used in enterprise environments to control and monitor hardware like routers and switches", my question is how many of them are using PySNMP but not other SNMP implementations out there? Personally I have been managing the most popular C# SNMP open source library with more than 1.2 million downloads since 2008, so I do understand how to run an open source project in this field.

[juliakreger]

Greetings!

I'm curious if there is an update or if any consensus has been reached? Ilya was on my team when he went on leave to never return, and I can say with certainty that he wouldn't want to see pysnmp fragment. Pysnmp for Ilya was much more a project out of passion instead of work funded by any specific employer. As someone who is looking for the next logical path with pysnmp because I have partners using it in driver code today, I really hope a forward path can be reached. One aspect which comes to mind is passion. To me, it seems like @lextm is approaching this with passion, which reminds me so very much of Ilya. 😢

[neirbowj]

As a casual, interested observer, this request appears to be stalled, to our collective detriment. In the interests of the PySNMP project and its constituent components, the projects that depend on them, and the broader PyPI community, I would seek greater clarity on the status of this request relative to the PEP 541 process.

Starting from the top, the section on Reachability stipulates that "the maintainers" (meaning those who operate PyPI) "will try to [contact the user] at least three times" (where "the user" is evidently one who is able to publish material to a PyPI project, and "contact" is by email according to one of three defined addresses). I have to identify evidence linked from this request to show that the maintainers have carried out this step. If this step has been completed, could a maintainer please post evidence here? If not, what is preventing progress?

I welcome enlightenment on points I have failed to sufficiently grasp.

[geofft]

Hi - I'd like to re-raise this request. I think passing ownership to @lextm makes sense, for a few reasons. There appear to be two active forks of PySNMP; besides https://github.com/lextudio/pysnmp (currently pip install pysnmp-lextudio), the other is https://github.com/pysnmp/pysnmp (pip install pysnmplib). But that one has pointed people at Lex's fork for feature requests (e.g., pysnmp/pysnmp#40), and they have not raised a request to take over the PyPI name pysnmp.

Furthermore, the pysnmp GitHub organization also has its own fork of pyasn1, published as pip install pysnmp-pyasn1. This was necessary because Ilya Etingof was also the maintainer of pyasn1, and in fact Lex also had forked it (as pip install pyasn1-lextudio). But ownership of pyasn1 was transferred in #2090 and maintenance has been continued, and Lex's project now depends on the standard one (lextudio/pysnmp@924a022), whereas pysnmplib continues to depend on their fork.

If I understand correctly, you cannot have both pysnmplib and the standard pyasn1 in your transitive requirements, because both pysnmp-pyasn1 and the standard pyasn1 use the same importable name import pyasn1. So, the other fork is essentially not usable in the broader ecosystem. This was reported as pysnmp/pysnmp#51 but there has not been any response.

But you can have pysnmp-lextudio and pyasn1 coinstalled. So, I think transferring the ownership to @lextm is consistent with the PyPI project's previous decision in #2090 and is the best thing for the ecosystem.

I also agree with the point above that @tiran's statement about security sensitivity is more about pyasn1 than pysnmp - yes, pysnmp is used in security-sensitive contexts, but pyasn1 is very widely used and the risk of passing it to someone untrustworthy is much, much higher.

To the most recent question about contact: the user cannot be contacted due to his death, and so this step is moot.

But I don't know what the next step is, then. Can a PyPI maintainer comment on what needs to be done, please?

(@tiran, since you specifically requested a hold on transferring Ilya's projects in #1104, would you mind sharing thoughts on what should happen with pysnmp and more generally the non-pyasn1 projects?)