We voted in August to mark a number of repositories "security-only".
The problem: we never did. Worse, we had no plan for what that process would look like, other than some vague wording on the repository README.
As the months roll on, this gets more problematic, as we are ignoring PRs in those repositories. (This was made even worse by the fact that we opened the PHP 8 and Psalm issues on them as well!)
We need a plan.
During our meeting in July, the following were all brought up as viable options/actions, some of which might be used in combination with others:
- Adding a note to the repository
README.md
indicating security-only status.
- Labeling them (via repository topics)
- Sharing a set of issue and PR templates that message the "security-only" status, and applying these during manual triage.
- Using a bot or GitHub Action to auto-close any issues/PRs opened against them (likely with the template developed above).
What we did NOT discuss was:
- Do these get the automatic-releases automation and/or the switch to release branches as part of the change?
- What do we do about existing open issues and pull requests?
- How exactly should the verbiage detailing "security-only" status for the README and/or issues read? Should it provide a link to the "nominate maintainer" issue form?
- What bots/GHAs exist that could do auto-closure?
Current activity
Component |
Issues |
Patches |
laminas-barcode |
3 |
1 |
laminas-config |
6 |
1 |
laminas/laminas-config-aggregator-modulemanager |
1 |
0 |
laminas/laminas-console |
11 |
1 |
laminas/laminas-crypt |
6 |
3 |
laminas/laminas-db |
128 |
14 |
laminas/laminas-dom |
7 |
2 |
laminas/laminas-file |
3 |
1 |
laminas/laminas-http |
28 |
0 |
laminas/laminas-json |
7 |
1 |
laminas/laminas-loader |
3 |
1 |
laminas/laminas-log |
9 |
1 |
laminas/laminas-mail |
60 |
5 |
laminas/laminas-math |
2 |
1 |
laminas/laminas-memory |
2 |
0 |
laminas/laminas-mime |
10 |
2 |
laminas/laminas-mvc-console |
4 |
0 |
laminas/laminas-oauth |
7 |
0 |
laminas/laminas-progressbar |
5 |
0 |
laminas/laminas-serializer |
5 |
2 |
laminas/laminas-servicemanager-di |
2 |
0 |
laminas/laminas-soap |
23 |
1 |
laminas/laminas-tag |
2 |
0 |
laminas/laminas-text |
1 |
0 |
laminas/laminas-uri |
7 |
0 |
laminas/laminas-xml |
1 |
0 |
laminas/laminas-xml2json |
3 |
0 |
The majority of the repos we voted to mark security-only have a handful of issues and 0-3 pull requests; 2 issues in each are generally the PHP 8 and Psalm support issues created for Hacktoberfest.
A few, however, have significant amounts of activity:
- laminas-console
- laminas-crypt
- laminas-db
- laminas-http
- laminas-mail
- laminas-mime
- laminas-soap
We have messaged for many years that zend-console/laminas-console is dead, and with laminas-cli now in good condition, I have zero problem directing users to that solution. Similarly for laminas-crypt, the cryptography tools in PHP have gained great capabilities, and, more importantly, simple interfaces, making it easy to direct users to those tools. All open issues except 4 issued against laminas-http were migrated from the original zend-http repo; assuming the plan for laminas-mvc v4 is to use PSR-7, we can likely write these off without too much fuss. The same is true of laminas-soap (3 new issues since migration, 2 of which were the PHP 8/Psalm issues).
The remaining are more problematic.
laminas-db only has 11 new issues since the migration, but has 14 PRs currently open. On top of that, prior to the migration, there had been an RFC for splitting out adapters into their own packages, and some of that work is in the dev-3.0.0 branch. From what I can tell, most of the patches are not security-sensitive, but many are ones that pre-date the decision to mark the repo security-only, and many are fixing outstanding problems.
For laminas-mail, we have a similar scenario: only 11 new issues since migration, but all current patches were submitted after we made the security-only decision. However, we've outlined a future 2.13.0 release, and done 3 releases since we made the security-only decision. The related laminas-mime component only has one user-opened issue since migration, and one patch predates the security-only decision.
Proposal
I propose the following:
-
We drop an addition to the README.md
file on the current release branch of each of the repositories, reading:
This package is considered feature-complete, and is now in **security-only** maintenance mode.
If you have a security issue, please [follow our security reporting guidelines](https://getlaminas.org/security/).
If you wish to take on the role of maintainer, please [nominate yourself](https://github.com/laminas/technical-steering-committee/issues/new?assignees=&labels=Nomination&template=Maintainer_Nomination.md&title=%5BNOMINATION%5D%5BMAINTAINER%5D%3A+%7Bname+of+person+being+nominated%7D)
Where an alternative package exists, we will append the following verbiage to the message:
If you are looking for an actively maintained package alternative, we recommend [package name](link to package).
-
Close all open PRs and issues with a comment containing the text addtions made for the README.md
.
-
Add the issue-auto-closer github action to the repository workflow. We can set the issue-pattern
to match any text. The issue-close-message
text can be the same as in the README.md
additions.
-
We add a repository topic of "security-updates-only", which will allow us to provide a search link to give users a reference of which repos we no longer support.
What about the laminas-db package?
We don't want to maintain a database package. There are too many databases to test against, and it's like playing whack-a-mole ensuring everything works across all databases we would want to support.
We should just recommend doctrine/dbal.
What about laminas-mail and laminas-mime?
We have an active contributor who I will not name, but who is periodically sending in patches to address bugs and issues on these two repositories. At first glance, they would appear to be an ideal candidate to recruit as a maintainer.
However, I have reviewed quite a number of their patches in the past, and while many are fine, there have been a number of cases where:
- the patch had no tests
- the patch broke existing functionality
and their typical response has been a shrug and an expectation we'd either merge as-is, or correct things for them.
I see the following options:
- We just go ahead and treat this like the other repos we voted to make security only, and be done.
- We invite the contributor to be a maintainer, with the caveat that for the first "X" months, we have an integration in place that requires a review from a TSC member on all pull requests before a merge can be done.
The problem with the latter approach is that we will still be spending time on the components for however long "X" months is, when our plan was to drop support so we wouldn't need to spend more time on them.
My recommendation: mail protocols are notoriously painful, and we likely shouldn't even entertain the idea of getting a maintainer for our libraries. I suggest we direct users to one or all of the following:
- For users needing mail storage access/mail reading capabilities:
- For users needing the ability to send email:
How to proceed
I'll call a vote starting on Monday, 2021-01-11; once the vote is complete, assuming it passes, I'll start enacting the above immediately.