Search Mailing List Archives
Future WebAuth releases
jonrober at stanford.edu
Tue Dec 1 08:56:39 PST 2015
On 12/01/2015 08:03 AM, Adam Lewenberg wrote:
> On 11/30/2015 7:46 PM, Russ Allbery wrote:
>> Adam Lewenberg <adamhl at stanford.edu> writes:
>>> Currently, we have no people committed to working on WebAuth development
>>> at Stanford. As for our plans regarding 4.7.1, we have no plans in place
>>> to move to 4.7.1 in the near term, although if there were campus demand
>>> we might.
>> So, the core of my question was basically "who is currently maintaining
>> WebAuth and what are the patch release plans"? It sounds like the answer
>> at the moment is "no one and there aren't any."
>> I personally don't use WebAuth at the moment, since my current employer
>> doesn't (at least yet) have a need for it, and it's a bit much for my own
>> personal needs, particularly since I mostly don't do web-ish things with
>> my personal infrastructure. I'm happy to keep packaging it for Debian,
>> particularly since the alternative is probably that it would be dropped
>> from the distribution, which would be a shame. Although if someone else
>> were doing that, or at least involved, it would probably be better, since
>> I can't really test.
>> I still care about reviewing patches and fixing things for people, and of
>> course know a lot about the code base, but WebAuth is a large enough thing
>> that there's really no way for me to maintain it in my scant free time. I
>> do have a web site up for it, though, and am happy to help with reviewing
>> It sounds like the broader WebAuth community might want to be thinking
>> about a path forward for future releases and maintenance? I'm happy to
>> throw some time into code review and answering questions and so forth.
> FYI: There is a group at Stanford looking at the future of web-based SSO on
> campus led by Scotty and Bruce. Jon R., Jon P., and I are also part of the
> group discussion. WebAuth and its future is part of that discussion, but no
> decisions have yet been made. In particular, no Stanford resources have been
> committed to WebAuth enhancement and development.
That's not exactly the same thing, or wasn't. I'm stepping back a little to
my duties when I was with the group -- it's been two months and a minor group
re-org since then, but I'm trying to explain where Russ and I have been
coming from. If there was major new WebAuth feature requests and anything,
I'd definitely have had to have someone assign my time to it as a project and
clear other things from my plate. But general WebAuth maintenance was part
of regular duties. That included answering tickets from people at Stanford,
maintaining the servers, but also responding to bugs and release management.
Those last two were relatively pretty rare. There aren't a lot of WebAuth
releases, and critical bugs don't come up too often and there's not a point
in doing a new point release for every patch. But while the code is open
sourced, the release management has been done by your group, through its
various iterations and reorgs, for over a decade. Other people don't
currently have the access to do so even if they volunteered.
So that's why I was pressing on this. I'm not saying you have to do this
work. Even if I wanted to, and I don't, I'm not the boss of you. :) I'm
just trying to lay out why this comes up and why the attention goes towards
you/the group. That feeds directly into Russ's -- it sounds like the
community needs to be thinking about what this means for it.
[[And short version for those outside of Stanford that may be wondering about
the names and duties. Russ, Adam, and I were all part of a group that's gone
through a number of name changes, so will just be called Group. Russ was
primary on WebAuth for a long time (shocking, I know), while I was backup.
He did code releases and the major work, though I'd been doing more work and
coding as time went on. He left Stanford last year and I took up primary
duties. I took up most of the work for the 4.7.0 release and did the release
itself. I had backups, but due to staffing issues didn't have time to do
much training. Then I left for another position at Stanford two months ago.
While I'm still at Stanford itself, the group I'm now in has nothing to do
with central authentication and I don't have work time that I can spend on
the project. Adam's the former tech lead, now manager for Group. Before I
left I did give as much training as I could on WebAuth along with my other
duties, but I apparently wasn't clear enough in describing all the
responsibilities with WebAuth. And that's where we are now.]]
Digital Library Systems & Services
Stanford University Libraries
More information about the webauth-info