Offer to co-maintain key_asymmetric

Created on 2 June 2024, 7 months ago
Updated 17 June 2024, 6 months ago

I'm using this for the login_gov module and would very much prefer to have this opted-in to security support. As I see it, this module is basically done and only needs some administrative updates (create a 1.x-dev release, security opt-in) and on-going maintenance (phpcs fixes, D11, unit tests).

I'm happy to opt-in to security and provide additional support.

πŸ’¬ Support request
Status

Fixed

Version

1.1

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States John Franklin

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @John Franklin
  • πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Added you.

    However dumb it may be, I have never requested / received the permission to opt projects into security maintenance. And I'm not going to deal with that right now.

    (I could probably just ask and get it, given my history/interaction with security issues & maintenance of another module... but something stubborn in me says I want to "do my part" and first actually review 3 issues in that queue, before I do. Which I'm really planning to do since... 2017...)

    You're right, the module is basically done.

    • Adding the config schema (see other issue) would be ideal, but I'm not going to force you, since I didn't do it either.
    • The only other open issue is #3269077: How to downgrade to become compatible with phpseclib 2? β†’ and I was _maybe_ going to look at supporting v2 (i.e. making the v3 code optional) sometime, but given the priority of that relative to other things... that'll likely never happen anyway.
    • If you feel the need to change the README, I'd ideally like to see the changes before they're committed. Mainly as a way to keep up with what's happening.
  • Status changed to Fixed 7 months ago
  • πŸ‡ΊπŸ‡ΈUnited States John Franklin

    Thanks.

    It took me a long time to get around to applying for security opt-in permissions, too. Now that I have it, I'm trying to put it to good use.

    Regarding the three bullets you have listed there:

    • Config schema -- it's a good thing to add, but its absence doesn't break anything. If I get around to it, I'll file an MR.
    • I'd suggest closing the phpseclib2 ticket. It's only used to parse the keys and certs, so dropping the dependency entirely and doing it in straight PHP is an option. I've worked with the built-in PHP encryption API before.
    • Pretty much anything I do with the module, I'll file an MR for and let you take a look at it. Many eyes make all bugs shallow, as they say.
  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024