This project is still alive?
EasyNetDev opened this issue · comments
Hi all,
I notice that in the last year nobody is answering to the new PRs or bug reports.
I was working to add new features to this project and there is no movement from the owners at all.
Is still on going? This tool is part of Debian/Ubuntu distros and is a very good replacement of the current ifupdown tool because is very light, easy to use an perfect for a router device.
Can anybody ping the maintainers?
Yes, maintenance is ongoing, but I have been busy with other projects. Soon I will have more time to allocate towards this project.
Thanks. If you need some help, I will be glad to help this project.
From #222 (comment):
Dear @ifupdown-ng team, @kaniini, @BarbarossaTM: Can you look all PRs and @EasyNetDev has done several, he has done a lot of contributions!
- https://github.com/ifupdown-ng/ifupdown-ng/pulls
- https://github.com/ifupdown-ng/ifupdown-ng/pulls/EasyNetDev
There is no respect to do not look the work of people!
Maybe he can be an official team member.
The public list is empty here: https://github.com/orgs/ifupdown-ng/people
Thanks in advance.
Hi everybody! Could you please check the list of the PRs??? Are PRs in queue for very-very long time and nobody is taking care of this project anymore!
@ifupdown-ng team, @kaniini, @BarbarossaTM
Dear @ifupdown-ng, @BarbarossaTM, @kaniini,
The project is dead?
There are a lot of PR not merged since a long time!
For example, I think that @EasyNetDev can be officially a team member to manage this dead project.
Dear @ifupdown-ng, @BarbarossaTM, @kaniini,
What are your email addresses, we need to talk now.
It becomes now very important and urgent.
Thanks in advance.
@EasyNetDev, @Neustradamus,
@kaniini indicated to both of you previously that you should reach out to her via IRC rather than rely on GitHub messages. Have you done so?
Repeatedly posting identical complaints about a lack of a response to your PRs seems both impolite and counterproductive.
@col-gh: Thanks for your comment.
The bad point, I do not use IRC.
Like you know, I have done comments a long time ago, PR have not been merged.
It is important to comment again on @EasyNetDev PRs because it is not new and it is important now, several years ago to progress.
I do not want to create a new fork because the current team has stopped.
Hi @col-gh ,
I thought is a public project with some maintainers that are taking a look to this project from time to time. Using IRC in 2024 to reach the attention the maintainers, is a little bit hilarious.
I'm not using IRC from 2000s .., but I just installed now to reach their attention.
Also each time when I got a comment to any PRs or issues opened on Github I'm getting an email. I can't believe that all maintainers are ignoring these emails sent by Github. Doesn't sounds strange?
I don't want to be impolite, but having PRs for over 1 year in the queue .. I don't see where is the impoliteness here asking for the maintainers to check them.
Just saying as my point of view.
Now let's see when they will answer on IRC.
@col-gh I've tried to contact them over IRC. Until now the result is identical as Github or emails.
Hi all,
I maintain ifupdown-ng in Debian. I'd be happy to switch my packaging to a fork if one were to spring up. @EasyNetDev since you seem to be spending a lot of time developing features and fixes already why not just start your own fork?
This is how FLOSS development works. Sometimes people get busy or just get sick of doing the (admittedly thankless) job of maintaining. So if you want to see ifupdown-ng flourish step up and do the work, encourage others to join and see where that takes things instead of heckling busy people.
Frankly starting a fork is not that much work, maintaining it is where the real work starts ;) you might as well give it a go and see what happens.
--Daniel
@DanielG: Thanks for your message :)
@EasyNetDev has contacted the current team by e-mails and on IRC, and no answer.
It is better to have a new official maintainer than dead team, dead project and a fork.
A fork is not the best solution...
Dear current @ifupdown-ng team, @kaniini, @BarbarossaTM, can you add @EasyNetDev (and me?) to have a good future to all?
Thanks in advance.
Hi @DanielG
Thanks for you advice. I already have my fork where I'm trying to keep my patches update and I'm using for my use.
https://github.com/EasyNetDev/ifupdown-ng
Also there is branch https://github.com/EasyNetDev/ifupdown-ng/tree/ifupdown-ng/debian where I've added the Debian folder from original Debian ifupdown-ng and I'm using it to build my deb packages.
We can move to my repo. I can handle it with @Neustradamus and anybody want to contribute. I still have new features I wan to add.
I wouldn’t follow that person’s fork.
The reason we are not reviewing his PRs is because they are submitted to us in ways that are not reviewable.
If he would like to submit smaller PRs which actually describe the changes he is making, and why they are necessary, so that we can actually get an idea of the thought process that went into the work, then we would be happy to review those.
But “VRRP support version 6.2” as a PR subject with no information about what this is or why (yes, I know what VRRP is, but it’s not a versioned protocol) is not helpful and does not motivate anyone to review it.
Nor does the frankly borderline harassment to get PRs merged without proper review that we have been dealing with from both of these individuals over the past year.
Attempts have been made to educate both individuals on what we would find to be an acceptable PR, but the PRs are still presented in ways that are not motivating to review. The PRs that we have already reviewed also had errors.
Debian is obviously entitled to follow whatever fork they wish to follow, but seeing that the PRs presented still have errors and make changes that are not aligned with the overall design language of ifupdown-ng semantic configuration, we cannot promise any compatibility or support for those PRs in their present form.
Dear current https://github.com/ifupdown-ng team, @kaniini, @BarbarossaTM, can you add @EasyNetDev (and me?) to have a good future to all?
At present, it’s not happening. When PRs are submitted in a format where the reviewers can understand the thought process behind a feature’s development, then there would be something to discuss there.
Instead my personal email gets hounded to look at PRs with errors.
To some extent that is our fault as we have not formally specified what a “good” PR looks like, but to the same extent it should be reasonably common sense to understand that small changes are far preferable to monolithic PRs which don’t even explain what the changes are for.
As the project is still very much alive (though admittedly there is not much feature development happening right now), I am closing this.
Nor does the frankly borderline harassment to get PRs merged without proper review that we have been dealing with from both of these individuals over the past year.
If attempts of educating against this type of behaviour have failed perhaps it's time you consider using the GH moderation features https://github.com/settings/blocked_users. Works at the organizational level too.
Attempts have been made to educate both individuals on what we would find to be an acceptable PR, but the PRs are still presented in ways that are not motivating to review. The PRs that we have already reviewed also had errors.
That's a pity, I was afraid it would be something like that. You should just keep in mind that perception matters here and ignoring PRs looks worse from the outside than closing them with a link to a comment saying the above (or not having them land at all due to mod. settings).
Debian is obviously entitled to follow whatever fork they wish to follow, but seeing that the PRs presented still have errors and make changes that are not aligned with the overall design language of ifupdown-ng semantic configuration, we cannot promise any compatibility or support for those PRs in their present form.
I see no need to do that as long as the project is still responsive. My priority is seeing ifupdown-ng active since I will eventually have to support it for as long as it's in a stable release and doing that alone sucks :)
To some extent that is our fault as we have not formally specified what a “good” PR looks like, but to the same extent it should be reasonably common sense to understand that small changes are far preferable to monolithic PRs which don’t even explain what the changes are for.
I think it's unreasonable to expect everyone to just implicitly know this stuff. Some people might be new to the open development model and that doesn't mean they can't make valuable contributions -- it just means they need some TLC <3.
As long as such requirements are communicated and and contributions aren't met with silence I don't see a problem.
But “VRRP support version 6.2” as a PR subject with no information about what this is or why (yes, I know what VRRP is, but it’s not a versioned protocol) is not helpful and does not motivate anyone to review it.
I don't get it. I was developing this feature for some time and I was finding different issues. So I increment the "version of the patch" not VRRP version protocol.
If there are unclear things, I was expecting a reaction from the maintainers. But asking for you for months / years for somebody to help us, well, tell me to not submit any PRs anymore.
I'm not 100% Github developer, I'm doing in my spare time. And maybe there are a lot of things that I don't know about your requirements.
I thought Open source mean to contribute as we can to evolve a software and help together. But seeing such replies make me fell that all my work is useless.
Just tell me to cancel all my PRs and that's it.
Was better for me if there was a collaboration: you need to add this, this is not OK and you need to do like this .. etc.
You mean "harassment" when we kindly ask you to help us? Ok. If you consider this harassment, sorry for that.
What I don't understand how we harassment you (team of ifupdown-ng) by just asking to check our PR.
But whatever. I don't have anything to comment about this. I just wanted to help the project.
Just a simple answer to us in this long time when we tried to contact somebody could have been a better communication than just silent.
But each person can consider as they wish this. In my opinion was disrespectful for us to not get just an answer.
And @DanielG has some points. Your team believes that we should know all your knowledge without share them with us. Unfortunately most of us we want to contribute in our spare time.
When you don't communicate with us, but you expect from us to know all your requirements, then the problem is not in our side.
@EasyNetDev Just one more thing:
Your team believes that [...]
Don't anthropomorphise teams in FLOSS too much. They usually aren't usually anything like the company backed structures you might be familiar with. Volunteer groups just behave differently since no one is strongly incentivized by $$$ to do anything.
Try to focus more on the people behind the project, their interests, feelings, concerns and you'll better understand whats going on and how to contribute.
Thanks for advices. But unfortunately I'm not very familiar with such concepts. If something I did wrong, I was expecting from somebody to give me some guide lines.
I'm open person and I can get the feedback constructive. But if there is silent, I have no clue how to modify my PRs to fit to the guide lines.
"Try to focus more on the people behind the project, their interests, feelings, concerns and you'll better understand whats going on and how to contribute."
As I said before. I'm doing in my spare time, I like to do it and I want to help Open Source community and also I'm willing to learn. But I have no clue about any member of the project. Without interaction I have no clue how to manage this.
Maybe some context would be helpful.
ifupdown-ng development happens in the form of occasional sprints, which are usually triggered by some distro or another going “hey can we get a release?” and then usually myself saying “ok, cool, i’ll throw something together this weekend.”
sadly, or perhaps successfully, there is low demand for releases anymore. this is because even with its current features it handles most of the network configuration needs of distros using it. this has a side effect of reviews getting less attention in general when there is no demand for a release.
but it does not mean the project is dead. it also means that feedback on patches which are frustrating is likely to be postponed until the next development sprint, as there is no urgency on our end.
@DanielG: I have done several messages to have answer because there were not since a long time and it was same for @EasyNetDev directly.
Between one and two years for PRs...
Do you think it is normal?
@Neustradamus there is no obligation to review any specific PR within some designated by you timeline.
Important to specify here.
Some people attack me (@wookey for example) because there is a problem with the ifupdown-ng team who does not look PRs, and Issues created by several people.
For example, @EasyNetDev has done a lot of improvements and PRs have not been reviewed after several months/years, the team does not answer by message on GitHub, e-mails, or on IRC.
Note: Recently, there was a little change after a very long time!
@Neustradamus. You still don't seem to get it.
I didn't 'attack' you because there is a problem with the ifupdown-ng project. I 'attacked' you because of the way you behave in these threads.
That you characterise it this way illustrates that you don't yet accept any responsibility. Everything is always someone else's fault.
And it wasn't an 'attack'. I was trying to warn other people (in the avahi project) that you might not be what you seemed, and also advise you that if you are someone who is actually trying to help, not break in, then you need to learn some manners.
I will leave it at that - this isn't the right forum to try and teach people how to behave. I accept your protestations that you are a real person and not a bad actor (for now). I apologise for suggesting that you might be part of the plot. I suggest you reflect on why several people (not just me) thought that might be the case. People are going to be less tolerant of this sort of pressure in the future.
(for anyone wondering what we are talking about, it is this post: avahi/avahi#388 (comment) )
@kaniini: I thank you for your review here: #191 (comment) :)
I think that @EasyNetDev will be happy to see this, a long time of patience (2022-07-12), 2 years soon.
@Neustradamus it is suspicious that you're nagging maintainers of several projects trying really hard to say that there's a problem with them while also being the person to request the compromised xz version to be put in vcpkg. Coincidences like that are suspicious when the malicious maintainer of xz was given so much power because the original maintainer was bullied for not having time for development (exactly what you're doing)
@GOKOP: It is not same! You mix all.
I recall to all:
I am not linked to XZ project, I only do announcements or/and update requests (links after).
I have already specified, please look my comments in vcpkg Issues/PRs and at other places.
About ifupdown-ng, @EasyNetDev has proposed to create a fork, I have specified it is not a good solution but the solution is to have reactions from original team (silence on GitHub, e-mails, or IRC).
When there are no changes since several years, there is a problem.
After a very long time, yesterday, after the controversy, @kaniini has done a review requested by the author 2 years ago soon.
The future progress now!
@EasyNetDev has done after the recent review, new developement changes, he is very responsive.
About Avahi, I have participated to have changes, and to have a new team, after a long time, I have a big success on it :)
I have done a ticket for a 0.9.0 release in 2021 before CVEs from 2023: avahi/avahi#325
You can look my comment here: avahi/avahi#388 (comment)
When there are published CVEs, it is needed to solve it ;)
To help you to know what is a CVE, please read here: https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
When a CVE or several CVEs exist, the project is unsecure, it is only a reality, currently it is it for Avahi:
I invite you and all people to follow me here and have announcements:
@Neustradamus You need to understand that the xz situation is forcing people to look at the one inherent weakness of open source software, namely social engineering by means of pressuring an overworked and under-, or more likey un-paid maintainer into trusting a bad actor and letting them modify code.
The open source process will change, and I can guarantee you that any request that could even vaguely be interpreted as being pressuring will either be heavily scrutinized (that's what is happening to you at the moment) or be summarily flagged and discarded.
As a result your approach will need to change as well. How? I don't know. But no more pressuring. I'm sure there will be solutions in the long term, but until the situation has cleared up I recommend you step back and implement any critical changes in a fork for yourself.
@Kraligor: I think you do not understand the situation, I have not created any PRs, I have not created backdoor, etc.
Like you can see:
I have only requested an update of XZ in vcpkg in 5.4.5 or 5.6.0 because there was only 5.4.4.
I have not requested to XZ team to accept bad PRs, etc.
I had confidence in their project management.
Maybe my vcpkg request has permitted to the Microsoft developer to found the backdoor.
I have only informed, it is the reality:
- The ifupdown-ng team that there are a lot of PRs without review in 2 years (not only from @EasyNetDev), reviews are important and silence are not good (GitHub, e-mails, IRC)
- I have said that Avahi is currently unsecure project because several CVEs exist in current latest build -> 0.8.0 (2020), I have done a ticket in 2021 to have a 0.9.0... cvedetails for Avahi: https://www.cvedetails.com/vulnerability-list/vendor_id-4481/Avahi.html and my ticket here: avahi/avahi#503
It is normal to contact developers to secure a project and improve the code...
Maybe some of people can look SCRAM secure mechanisms too, it replaces since 2010 unsecure CRAM-MD5, DIGEST-MD5 mechanisms.
It is normal to inform people that there are new software versions, I propose you to check all my announcements here:
This issue is awfully suspicious. microsoft/vcpkg#37197
This is the version affected by the xz attack
https://github.com/Neustradamus should be treated with a great deal of scrutiny.
@Neustradamus You don't get it. A lot of your comments in this very thread, as well as a few others, come off as nagging, aggressive or passive aggressive towards the maintainers.
Here you accuse them of disrespecting people who opened PRs: (they don't owe anything to anyone)
There is no respect to do not look the work of people!
Here you say that they are a problem: (again, they don't owe anything to anyone)
Some people attack me (@wookey for example) because there is a problem with the ifupdown-ng team who does not look PRs
Here you're being passively aggressive in a comment that would be a nice comment without this line:
I think that @EasyNetDev will be happy to see this, a long time of patience (2022-07-12), 2 years soon.
Your activity aren't friendly reminders, it's bullying. The recent xz fiasco happened because of Jia Tan, who was most likely only accepted as a maintainer because the original maintainer was being bullied for not having enough time for development. There's also several comments where you heavily insist that the project may need a new maintainer. Regardless of whether or not you're guilty of anything it's important to be cautious about such patterns when this is exactly what happened at xz.
And sure, someone had to prompt vcpkg to update xz in their repositories, but it's a terribly curious coincidence that of all the people it was you, considering the whole picture.
Also, why did you follow me?
@Neustradamus Not what I was getting at, at all. I don't accuse you of being in any way involved in the xz exploit. And this isn't about any particular commit. This all breaks down to:
Trying to pressure maintainers in order to get a commit approved, or even be made co-maintainer, is not going to work ever again in any open source project.
That's an easily deductible fact. What you make of this information is your own decision. But based on how this thread is starting to turn out for you, I highly recommend you change your approach.
not going to comment any more after at risk of derailing things but I thought I should say something.
Also, why did you follow me?
they also followed me on GitHub and Twitter after I put a sad face reaction on a comment that only mentioned them and wasn't written by them. it was written by someone named likecrazy1 (namenumbers) whose gh account was created January 2024 (very new) who tried to vouch for neustradamus. I was very uncomfortable with that so I just blocked the neustradamus accounts.
i hope someone can convey to them that their behavior is annoying at best and suspicious/tiring at worst.
additionally, accounts with a history can be bought out so in some cases even that may not be a strong leg to stand on.
@dylanmtaylor: It is not a surprise, I have cited the situation previously, maybe you have not looked all my comments with all details ;)
You can look this comment too:
I recall: I have no link with XZ project, and I am not the author of the backdoor and I have not done a PR or a commit in the XZ source project.
I do since a very long time announcements (XZ included) on social networks and/or I request software updates and/or I request new version because the latest one is old and several because there are unsolved CVEs, you can check without any problem.
For XZ project, I had confidence in their project management like a lot of people.
Some examples here for XZ on Twitter:
- https://twitter.com/neustradamus/status/1559262505674883073
- https://twitter.com/neustradamus/status/1607567545669746688
- https://twitter.com/neustradamus/status/1614386217067372544
- https://twitter.com/neustradamus/status/1640858298898341888
- https://twitter.com/neustradamus/status/1751748794725564846
- https://twitter.com/neustradamus/status/1751748891232403558
- https://twitter.com/neustradamus/status/1774027871712886813
- https://twitter.com/neustradamus/status/1775655656718037422
- https://twitter.com/neustradamus/status/1775892647380734349
Please look all here, you have several years of announcements, you are welcome to follow me, to keep news ;)
- https://mastodon.social/@neustradamus
- https://twitter.com/neustradamus
- https://bsky.app/profile/neustradamus.bsky.social
- https://news.ycombinator.com/user?id=neustradamus
- https://www.reddit.com/user/Neustradamus/
- ...
Please look SCRAM RFCs to add support in some projects, it replaces unsecure CRAM-MD5, DIGEST-MD5 and others since 2010 :)
@GOKOP: I have never attacked a person, I have always talked with team correctly.
Some teams or people may not respond for days, weeks, months, years.
No respect for contributors or requesters, etc.
Some people or teams have stopped, there is a button to archive the repositories, some have done it.
When I propose solution to keep a project alive, it is possible, for example Avahi is not dead, several CVEs have been solved (not all) but only in upstream (no new release yet).
@EasyNetDev has done a lot of improvements, he has not answer from team, I have helped to have reactions. The situation has been changed, thanks @kaniini for your recent review... @EasyNetDev has already done changes and comments, he is very responsive.
I follow a lot of people, why not you?
@Kraligor: See previously.
@amelielavender: See previously too.
"They"?? Who? Me and?
I check all comments/messages/reactions.
Because I have followed you, like a lot of others, a new attack, the new one is that I have bought this account and another account too. Which is entirely false.