jasig/phpcas package should be abandoned in favor of apereo/phpcas

Question

jasig/phpcas package should be abandoned in favor of apereo/phpcas

jboulen opened this issue 2 years ago · comments

When a project uses the jasig/phpcas package instead of the apereo/phpcas package, dependabot on github is unable to report the security alerts.
So maybe the jasig/phpcas package should have "abandoned" status to motivate developers to migrate to the apereo/phpcas package?

There is also a lack of information on packagist.org. Only apereo/phpcas package announces security alerts :
https://packagist.org/packages/apereo/phpcas
https://packagist.org/packages/jasig/phpcas

Joachim Fritschi · Answer 1 · Fri Nov 11 2022 05:19:55 GMT+0800 (China Standard Time)

Thanks for the info. Makes sense but currently the package is owned by someone else....

Julien Boulen · Answer 2 · Mon Nov 14 2022 17:42:34 GMT+0800 (China Standard Time)

Do you mean that the jfristschi account referenced as maintainer on jasig/phpcas package is not yours ?
I can try to contact someone at packgist.org if you agree.

Joachim Fritschi · Answer 3 · Mon Nov 14 2022 18:25:04 GMT+0800 (China Standard Time)

The account jfritschi is mine. But the apereo/phpcas package that you propose as future package is owned by someone else...

Julien Boulen · Answer 4 · Mon Nov 14 2022 18:37:45 GMT+0800 (China Standard Time)

Oh, I thought that apereo/phpcas package was owned by someone from apereo...

Phy · Answer 5 · Sun Nov 20 2022 12:35:51 GMT+0800 (China Standard Time)

I see the user with the same profile picture is on GitHub as @wuwx. We might need to do a more official outreach but looks like at least one of the maintainers here needs to have admin access of that packagist package to proceed.

Yann 'Ze' Richard · Answer 6 · Fri Jun 30 2023 20:53:05 GMT+0800 (China Standard Time)

Since c98aa74 there is a some security risk for projects using phpCAS via composer :

when using "jasig/phpcas" : projects have no security warning from dependabot.
when using "apereo/phpcas" : in case of the owner's account take over ( https://blog.packagist.com/packagist-org-maintainer-account-takeover/ ) or owner bad mood actions. This is limited since https://github.com/composer/packagist/pull/1374?ref=blog.packagist.com .

Private Packagist
Packagist.org maintainer account takeover
What happened?
On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and

GitHub
Refactor package permissions into a voter, restrict URL edits from 50k dls by Seldaek · Pull Request #1374 · composer/packagist
Package Repository Website - try https://packagist.com if you need your own - - Refactor package permissions into a voter, restrict URL edits from 50k dls by Seldaek · Pull Request #1374 · composer/packagist

Joachim Fritschi · Answer 7 · Sat Jul 01 2023 21:14:07 GMT+0800 (China Standard Time)

I have sent a message to packagist and hope they can simply transfer ownership of the package to me....

Joachim Fritschi · Answer 8 · Sun Jul 02 2023 04:37:30 GMT+0800 (China Standard Time)

I have gained ownership and have now marked jasig/phpcas as abandoned and pointed to apereo/phpcas.

Julien Boulen · Answer 9 · Mon Jul 03 2023 16:28:18 GMT+0800 (China Standard Time)

Great! Thank you @jfritschi!

I confirm that it works as expected:

$ composer update jasig/phpcas
Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
**Package jasig/phpcas is abandoned, you should avoid using it. Use apereo/phpcas instead.**
Generating autoload files

So I can close my issue. :)