ThirVondukr
passlib takeover?
Thanks for working on this fork. I am considering using it to replace the passlib package for Gentoo Linux.
I wanted to reach out to ask if you intend to take over the passlib project on pypi at some point. Have you been in contact with Eli Collins at all?
Hey, I'm not sure about taking over passlib on PyPI, but I've not been in contact with Eli besides on heptapod issues. How is passlib currently used in Gentoo? I've dropped support for python 3.8 since it recently reached end of life.
How is passlib currently used in Gentoo?
It's a dependency of a couple packages.
https://qa-reports.gentoo.org/output/genrdeps/rindex/dev-python/passlib
I've dropped support for python 3.8
We don't support Python 3.8 and longer either. Currently we support 3.10 to 3.13.
https://wiki.gentoo.org/wiki/Project:Python/Implementations
It may be worth considering attempting a PEP 541 takeover. Possibly with a group of interested maintainers?
I don't know if this is actually an issue, but having a number of people involved in maintenance that would provide some redundant eyes on commits might help with any trust-factor issues with having the project maintained by someone other than @eli-collins.
I, for one, would really like to see the official passlib name taken over by someone (or a group of someones) wiling to take on long-term maintenance.
@mpounsett I don't mind having someone to take a look at my past/future commits or contribute to the passlib
As for PEP541 request it may be worth trying out at this point, since Eli wasn't active at all for the past year or so, I will try reaching out to them over email first.
I hope it didn't sound like I was suggesting that shouldn't be you taking over maintenance. My apologies if it did.
I think it's clear that passlib is abandoned by the criteria set out in PEP 541. I also think that the continued maintenance criteria are probably all met... depending on how the (very subjective) "improvements made" criteria is judged.
By "them" do you mean the PyPi maintainers or Eli? I was under the impression nobody had Eli's email address. If you do have Eli's address then yes, I'd recommend trying to reach out one more time. It certainly can't hurt your case.
If you mean the PyPi maintainers .. rather than sending an email, I'd follow the PEP 541 process. Look to the How to request a transfer section. I just looked and there aren't currently any other requests to recover passlib, so opening a new issue there seems like the next thing to do. Make sure you've read the rest of the document and you're prepared with answers to questions about the various criteria you need to meet.
I reached to Eli by their work email that they have on project's PyPi page, since that's the only email I was able to find. If I've read PEP correctly it's one of the requirements for the process, but I asked Eli if they could either transfer the PyPi project or participate in the development which would obviously be better.
Also you didn't come off as rude or anything, but It doesn't really matter for me who ends up maintaining the project, as the job gets done, I personally don't find much time to work on passlib due to work and some other projects.
It seems to me that the most time consuming work that would come up is maintenance of the directly supported crypto (anything not relying on a dependency). That requires a particular skillset that not everyone has. Also tied to that skillset would be the less demanding job of updating the list of recommended hashes and hash parameters.
The rest would be keeping up with API changes in dependencies, new versions of python, etc... which would be less frequent bursts of activity, and could be done by almost any volunteer python developer.
I would be happy to help contribute some time those latter parts of the upkeep, but don't have the skills for the custom crypto work. There were at least a couple of people involved in the "is this alive" issue on Heptapod who seemed like they might be willing and able to help with the crypto, if you aren't in that camp yourself.
Either way, I think you could probably acquire some more maintenance help from that list of people if you wanted.
If you really don't think you have time to lead development, then it definitely would be worth moving this project to a GitHub organization page and trying to attract more contributors.
Happy to help as well, we (Glitch Works, LLC) depend on passlib to manage some of our Ansible hosts, and as there hasn't been meaningful movement by Ansible to really replace passlib, the obvious answer is to fork it and clean up the outstanding issues.
I'd really love to bring argon2 support into Ansible so I can stop having to use md5 for the autocreated Ansible accounts on my NetBSD hosts! My open PR on Ansible won't move forward because "passlib is abandoned, we don't want to depend on it more" (PR is over a year old).
If it helps to have the repo maintained by a corporate entity we can do that, but it also doesn't matter to me who maintains it as long as it's being maintained!
Hi - just noticed this open issue and wanted to add a data point. In OpenBSD we replaced passlib with libpass in packages earlier this year (before our 7.7 release). Only a few other packages depend on it, but some have definitely been tested since the changeover, and we haven't had any problems reported.
Looks like the Slackware SlackBuild will be switching over to this fork as well.