Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Future WebAuth releases

Jon Robertson jonrober at
Tue Dec 1 08:56:39 PST 2015

On 12/01/2015 08:03 AM, Adam Lewenberg wrote:
> On 11/30/2015 7:46 PM, Russ Allbery wrote:
>> Adam Lewenberg <adamhl at> writes:
>>> Currently, we have no people committed to working on WebAuth development
>>> at Stanford. As for our plans regarding 4.7.1, we have no plans in place
>>> to move to 4.7.1 in the near term, although if there were campus demand
>>> we might.
>> So, the core of my question was basically "who is currently maintaining
>> WebAuth and what are the patch release plans"?  It sounds like the answer
>> at the moment is "no one and there aren't any."
>> I personally don't use WebAuth at the moment, since my current employer
>> doesn't (at least yet) have a need for it, and it's a bit much for my own
>> personal needs, particularly since I mostly don't do web-ish things with
>> my personal infrastructure.  I'm happy to keep packaging it for Debian,
>> particularly since the alternative is probably that it would be dropped
>> from the distribution, which would be a shame.  Although if someone else
>> were doing that, or at least involved, it would probably be better, since
>> I can't really test.
>> I still care about reviewing patches and fixing things for people, and of
>> course know a lot about the code base, but WebAuth is a large enough thing
>> that there's really no way for me to maintain it in my scant free time.  I
>> do have a web site up for it, though, and am happy to help with reviewing
>> patches.
>> It sounds like the broader WebAuth community might want to be thinking
>> about a path forward for future releases and maintenance?  I'm happy to
>> throw some time into code review and answering questions and so forth.
> FYI: There is a group at Stanford looking at the future of web-based SSO on
> campus led by Scotty and Bruce. Jon R., Jon P., and I are also part of the
> group discussion. WebAuth and its future is part of that discussion, but no
> decisions have yet been made. In particular, no Stanford resources have been
> committed to WebAuth enhancement and development.

That's not exactly the same thing, or wasn't.  I'm stepping back a little to 
my duties when I was with the group -- it's been two months and a minor group 
re-org since then, but I'm trying to explain where Russ and I have been 
coming from.  If there was major new WebAuth feature requests and anything, 
I'd definitely have had to have someone assign my time to it as a project and 
clear other things from my plate.  But general WebAuth maintenance was part 
of regular duties.  That included answering tickets from people at Stanford, 
maintaining the servers, but also responding to bugs and release management.

Those last two were relatively pretty rare.  There aren't a lot of WebAuth 
releases, and critical bugs don't come up too often and there's not a point 
in doing a new point release for every patch.  But while the code is open 
sourced, the release management has been done by your group, through its 
various iterations and reorgs, for over a decade.  Other people don't 
currently have the access to do so even if they volunteered.

So that's why I was pressing on this.  I'm not saying you have to do this 
work.  Even if I wanted to, and I don't, I'm not the boss of you. :)  I'm 
just trying to lay out why this comes up and why the attention goes towards 
you/the group.  That feeds directly into Russ's -- it sounds like the 
community needs to be thinking about what this means for it.

[[And short version for those outside of Stanford that may be wondering about 
the names and duties.  Russ, Adam, and I were all part of a group that's gone 
through a number of name changes, so will just be called Group.  Russ was 
primary on WebAuth for a long time (shocking, I know), while I was backup. 
He did code releases and the major work, though I'd been doing more work and 
coding as time went on.  He left Stanford last year and I took up primary 
duties.  I took up most of the work for the 4.7.0 release and did the release 
itself.  I had backups, but due to staffing issues didn't have time to do 
much training.  Then I left for another position at Stanford two months ago. 
  While I'm still at Stanford itself, the group I'm now in has nothing to do 
with central authentication and I don't have work time that I can spend on 
the project.  Adam's the former tech lead, now manager for Group.  Before I 
left I did give as much training as I could on WebAuth along with my other 
duties, but I apparently wasn't clear enough in describing all the 
responsibilities with WebAuth.  And that's where we are now.]]

Jon Robertson
Systems Administrator
Digital Library Systems & Services
Stanford University Libraries

More information about the webauth-info mailing list