zeromq
Statement from the maintainer
I am writing to express my concerns about the recent events that have taken place regarding my work on zeromq.js. As you are aware, I have been working on this library in my free time and have put a lot of effort into making it a success. I tried to support the development of zeromq.js as a library used by millions through huge projects such as VSCode Jupyter integration.
However, I have recently experienced some issues with the way that my work has been treated. Specifically, my repositories were deleted without my knowledge and I have been treated with unprofessional behaviour. This has left me feeling disrespected and unappreciated.
I believe that it is the responsibility of @zeromq/core to ensure that all community members are treated with respect and professionalism. Unfortunately, I do not feel that this has been the case in my interactions with libzmq. If this is not possible, I will be forced to reconsider my involvement with zeromq.js. Thank you all for your attention to this matter.
More Context: https://github.com/zeromq/libzmq/pull/4562#issuecomment-1592611715 https://github.com/zeromq/libzmq/issues/4484#issuecomment-1372860474
Sorry to see your attempts to contribute being treated so rudely by @bluca. His expressions are filled with arrogance and disrespect. Disregarding the existing issue, he continuously using a condescending tone to obstruct your feedback and contributions, and abruptly closed your issue and deleted your repository, instead of trying to communicate and resolve the actual problems with contributors.
Totally understand your concern and feelings. I was following the conversations and had the same thought.
Together with https://github.com/zeromq/libzmq/pull/4550 , given the fact that no official release is being made for +2 years, this project seems stalled to me. And not welcoming good intentions at all...
Not that anyone will care, but most likely I will be moving to nanomsg https://github.com/nanomsg/nng
Anyway, thank you very much for your work @aminya
There are many things that projects guests of this org can do, almost anything as it can be seen from the list of repositories. But there are still some limits. My duty as one of the project leaders is not to make you happy whatever the cost may be, it's to ensure those limits are not overstepped resulting in a security disaster down the line for the project.
You were told with extreme clarity and no uncertainty that forking cryptographic primitives inside the org for the sake of convenience was not an OK thing to do, as there are neither cryptographers nor a 24/7 on-call security team available here to do the required maintenance work that would become necessary.
You went ahead and you forked a third-party cryptographic library inside the org anyway. So yes, of course I stepped in, and I would do so again in the same situation, as that's my (unpaid) job.
Github is a big place, and you are free to expose users to disastrous security incidents from your own personal repositories or from any other org that does not care about security practices and supply chain security, if you wish, so that the responsibility when things inevitably go south lies with you or a third org. Not from this org, though.
Due to the total lack of paid engineering resources we are already struggling as it is to keep the lights on, and I'll be damned if I let major, obvious and glaring security malpractices creep in this org for the sake of convenience. And if that upsets you, well, sorry, but the answer is still no.
Disclaimer: I did not check the language of all posts by @bluca on this issue.
However I DO support his statement hereabove.
Hey @aminya ,
we can't ask @bluca to change their security policies, but zeromq.js's security standards are lower (e.g. for many years, we've distributed a precompiled libzmq for windows). Couldn't we do something similar and have the patch required to statically link libsodium distributed in zeromq.js?
As I mentioned on the PR, fixing cmake bugs around static linking is fine. The key is that someone else, not the org, provides the actual crypto primitives code, so that it's on them to maintain it and support it when it inevitably needs security maintenance, and not on this org.
Is this package still being maintained? I see it's been >2 months since the last commit.
I am not any kind of expert on zmq or libsodium to be commenting much on the context here, but I do believe 2 things:
-
Both libzmq and this zeromq.js package ought to be very conservative about working with cryptographic libraries and primitives, and should not be directly responsible for maintaining them.
-
Maintainers ought to be patient and understanding with each other. We all have the same goals here, disagreements about the best way to achieve those goals are normal and shouldn't result in deadlocks. A lot of people are putting in a lot of time and effort in exchange for no money, so the least they deserve is patience and appreciation and of course that goes both ways.
That said, I appreciate the people maintaining and contributing to this excellent project and I hope it keeps moving forward.
Interesting divergence to the technical issues in this discussion rather than the main problems I mentioned in this statement.
Is this package still being maintained?
I have not seen a change in the attitude and behaviour. What I can do is to fork things to my personal account, so people cannot delete the repositories I create, and then I can continue maintaining this.
@bluca what is your suggestion to get out of this deadlock?
↓↓↓↓↓↓↓↓↓↓↓
As I mentioned on the PR, fixing cmake bugs around static linking is fine. The key is that someone else, not the org, provides the actual crypto primitives code, so that it's on them to maintain it and support it when it inevitably needs security maintenance, and not on this org.
Hello @aminya , I recently started using zeromq.js 6.0 and came upon this issue. I just wanted to ask if the commit on November 20th means that this repo is being actively maintained again. It seems like a great project and we really appreciate your contributions 😄
