1/8/2024 0 Comments Matt silverlockWhile money was not cited as a concern here, we should be financially supporting and hiring open-source maintainers. To keep open source software working properly, the Chainguard crew said, “Companies need to be providing their teams with work time to contribute back to projects they rely on. But there’s no guarantee, and there’s certainly no magic. The other problem is we all too often believe that an open source project will magically keep improving and fixing security holes as they emerge. There the legitimate project was sold to an unscrupulous company that used the plugin to spread malware. If you let any Tom, Dick, or Harry become a maintainer, you could end up with a situation such as Chrome’s “ The Great Suspender” plugin. The first was that Gorilla was unable to find trustworthy maintainers. All of the Gorilla libraries are permissively licensed under the MIT, BSD-3, and Apache 2.0 licenses.īut, while forking a project is easy, forking one and building around it is much harder.Īs Dan Luhring and Eddie Zaneski, software supply chain security company Chainguard software engineers, put it, the Gorilla collapse underlined two problems. You can, of course, fork the project or its libraries. Oh, and security patches? Please! Get real. You can still clone them, get them, and build projects against them just as you always have. That means the repositories go into “read-only” mode. The remaining supporters have decided to archive the project at 2022’s end. So, after almost a year of attempting to find someone who could responsibly take over the libraries. There was never an effort made to monetize Gorilla. Silverberg added, “This isn’t a dig at maintainers who do want to be paid for their efforts, but a reminder that not everyone does things for money.” Besides, Gorilla never had any cash. Like so many important, but unappreciated open source projects, Gorilla was about the money. This has tended to play out poorly with other projects.” About the Money “As we said in the original call for maintainers: ‘no maintainer is better than an adversarial maintainer!’ - just handing the reins of even a single software package that has north of 13k unique clones a week (mux) is just not something I’d ever be comfortable with. … we just never seemed to get anyone to stick.” Instead, a number of folks raised their hands (read: commented in the thread) and then were never seen again. The call for maintainers made it clear we’d help merge and do a final review for anyone wanting to start contributing. As the last maintainer Matt Silverlock, said, “ There were no active contributors, even triaging issues. Bodies NeededĪnd, boy, were new maintainers needed. The project maintainers called for new blood, and no one answered. How could this happen to such an important project? Easy. And, with all that, the project has now been abandoned. Indeed, Gorilla’s WebSocket library is even used in Kubernetes. It’s called in for duty on such top projects as Cilium, Istio, and Open Policy Agent. How popular? Try mux is used in over 90,000 repositories. In particular, mux, its web request router, has been very popular. It consists of packages that augment Go’s base libraries to add important features such as parameterized routing and session management. Here's the design of my handlers: func Handler() http.For years, the Gorilla Web Toolkit was a popular, open source Go toolkit for web-based applications. I am designing my handlers to return a http.Handler.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |