Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is this package still active? #494

Open
catsalive opened this issue Jan 18, 2019 · 21 comments
Open

Is this package still active? #494

catsalive opened this issue Jan 18, 2019 · 21 comments

Comments

@catsalive
Copy link

There's an alpha release for this package from 9 months ago, is this package still active?
@dead-horse
Copy link
Contributor

@alexmingoia can we transfer this project to https://github.com/koajs and we can maintain it together?

@XadillaX XadillaX mentioned this issue Jan 24, 2019
Closed
3 tasks
@ZijianHe
Copy link
Owner

Hi all, I've taken over the project and will start maintaining it after 11st February.

@jcao219
Copy link

jcao219 commented Jan 29, 2019

Thank you Zijian.

@yi-ge
Copy link

yi-ge commented Jan 30, 2019

Zijian,希望此项目越来越好。💪

@catsalive
Copy link
Author

Thank you sir!

@imcotton
Copy link

imcotton commented Feb 2, 2019

Hi all, I've taken over the project and will start maintaining it after 11st February.

@ZijianHe first of all thank you for taking the maintaining responsibility, some questions:

  1. Will you going to have the total control over the NPM publishing? (i.e.: npm owner ls koa-router)
  2. Why it's not ending under the Koa.js org?
  3. Who are you?

@fl0w
Copy link

fl0w commented Feb 6, 2019
edited
Loading

@alexmingoia Thank you for your work with this library, and a hearty welcome @ZijianHe!

With koa-router being a significant lib used in Koa's ecosystem @alexmingoia, I'm not a distrusting person at all but as responsibilities creep up I'd like to respectfully ask how you arrived at the decision to pass over the package to @ZijianHe?

From a security standpoint it is a bit hard to evaluate this based off of @ZijianHe's history. And sincerely, I'm trying really hard not to offend anyone but I felt the question had to be asked.

Edit My bad, I had completely missed the "for sale" commits, which I saw just now.

@rarkins
Copy link

rarkins commented Feb 13, 2019

https://news.ycombinator.com/item?id=19156707

@alexmingoia
Copy link
Collaborator

Let's set the record straight.

  • The Koa organization did not write, maintain, or ever help with this package. I wrote it. I maintained it, with help from people who reached out to me directly (and actually contributed code).
  • @ZijianHe offered to maintain it, and I agreed to let him maintain it. I know him, and my personal life is not anyone's business. I don't have a relationship to the koa organization. I don't know them. Furthermore, @niftylettuce has repeatedly in emails to npm asserted that ZijianHe is Chinese, despite this having nothing to do with anything, or even knowing whether ZijianHe lives in China. Chinese developers have contributed more to this repository than anyone from the Koa organization. This kind of racial scaremongering or guilt by association is not acceptable. Its offensive. Let's be very clear: Developers from any ethnicity and nationality are welcome to contribute to open source.

@crobinson42
Copy link

Roger that @alexmingoia - just because you think ONE person is discriminating doesn't mean the rest of the concerned people who adopted this library of the years of it growing in REPUTATION is not a valid security concern and that everyone is racially motivated in their concern. ENOUGH SAID on that.

I'd like to thank you for your effort and the wonderful package, koa-router. When any npm package grows in downloads, it's building a reputation. That reputation was built on you maintaining the package. When a new maintainer comes in after you advertise "selling" the package, it's immediately a concern that someone with zero reputation then takes over a package that so many have and are trusting based on the previous reputation - in short, you cannot buy reputation.

So, I think the record is this: you sold a library and the new maintainer has no reputation in OSS, at least that has been published or is available to the public OSS community.

WE ARE SIMPLY CONCERNED - incidents like the event-streams maintainer injecting malicious code into a very popular package are what cause these types of concerns. https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

@niftylettuce
Copy link

niftylettuce commented Feb 13, 2019
edited
Loading

Someone may want to lock this thread for discussion.

Also to set the record straight since @alexmingoia is not telling the truth.

To clarify things for the community:

  1. No, they (Chinese developers) have not contributed more. You revoked access from @jbielick who was Use trie-based routing with Routington #2 contributor to the package behind you. He messaged me in Slack today that he received zero notification from you and simply received a notification from NPM that he was removed access from the package. You removed his access completely from NPM.

  2. My email to you prefaced the concern of the China-based user with "completely unknown" and "To an outsider". Here's the original email to clarify it for people viewing this from an incorrect context:

Hi Alex,

Thanks for your work in the open source community.

I am curious, since the project is open source, if you will be transparent as to the transfer of the koa-router repository and NPM ownership to a completely unknown user "ZijianHe" to the community.  Was there a monetary transaction?  Why did you choose him?  Why not transfer to the KOA org?

To an outsider, this is all a huge red flag, as an unknown Chinese GitHub user suddenly has full control of a NPM package with 130K weekly downloads and is used by major corporations.
  1. I did not "repeatedly" assert that. I stated the word "Chinese" one time. One time is not "repeatedly". I would share with the community your response to my message, but I am not going to do so.

@int64ago
Copy link

The transaction should be agreed by all contributors!

@ZijianHe
Copy link
Owner

Hi all. I am the one who took over the repo. Thanks for some of you guys reaching out.

I haven't been contributing to open source projects before so I don't have too much public information on my Github account.

Thus I think it would be a good opportunity for me to join the open source community by maintaining the koa-router project.

I will start reviewing PRs and getting rid of issues after I finish going thru the code.

Any suggestions are welcome

@niftylettuce
Copy link

niftylettuce commented Feb 14, 2019 via email

@crobinson42
Copy link

@ZijianHe Hello and welcome! What projects are you using koa-router in, if you're willing to share? What peaked your interested in purchasing koa-router vs. simply contributing via PR's or even other libraries?

@niftylettuce niftylettuce mentioned this issue Feb 14, 2019
Open
@ZijianHe
Copy link
Owner

@crobinson42 I use it with koa like most people. My projects are commercial so it would not be proper to share the code publicly.

It sometimes could be passive to simply contributing via PR to whatever repos. One can see for this repo there are 15 PRs lying there for very long time and the contributors must be very upset.

Purchasing it is just a way to put myself to an active position to make it easier to push things forward

@ljmerza
Copy link

ljmerza commented Feb 14, 2019
edited
Loading

Thank you for your initiative to push this repo forward. I'm sure you're getting a lot of hate but any person taking such an important project over would have. I think it came down to how quietly and quickly this transaction tried to be done instead of out in the open ... On an open source platform of all things.

@jdrydn
Copy link

jdrydn commented Feb 14, 2019

Immature chinese developer comments aside (sigh 🤦‍♂️), the fact the project was "sold" to someone with a quiet public profile, no introduction from the original author, an offer to add it to the @koajs organisation being ignored not discussed and contributor push access being revoked without warning... none of these are nowhere near acceptable for a widely used 5-year-old open-source dependency 🙌

@HcgRandon
Copy link

HcgRandon commented Feb 15, 2019
edited
Loading

All of you complaining that this was unacceptable is laughable. Do you pay alexmingoia's bills?

You are using a open source project, provided as is, by someone in their free time. Stop installing random dependencies for every little thing and you won't have to deal with these kind of issues.

That being said. Alex could of handled this much more delicately. While I don't use this package myself it would of been nice to of seen a discussion between contributors or maybe even adding it to the koajs org as stated by jdrydn.

The project being sold to a user with a default profile picture definitely feels a little sketchy.

@niftylettuce
Copy link

niftylettuce commented Feb 15, 2019 via email

@ZijianHe
Copy link
Owner

ZijianHe commented Feb 15, 2019
edited
Loading

locked as suggested

Repository owner locked as resolved and limited conversation to collaborators Feb 15, 2019
fl0w referenced this issue in koajs/router Jun 24, 2019
@dead-horse
Release 8.0.0
94698a3
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests