FAQ
Hello,

I am a user of the Auth_SASL package
(http://pear.php.net/package/Auth_SASL/) for a few years now. And I
see it does not have a maintainer lately. I am interested in
particular by a given feature, which is adding the pretty "recent" (in
Internet technology point of view) and very good SCRAM family of SASL
mechanisms. See RFC 5802.

So I won't lie to you: I won't pretend to try and improve this library
a far as possible in supporting every possible SASL mechanism on
earth. I will make in priority the implementations I am wishing for my
own projects. If someone who promises to be much more dedicated than I
am wishes to step-up, I will give the role with pleasure. Simply for
now, I think that's sad that there is just no maintainer at all. So I
propose to be this one.
Now what else I can tell you I will do:
- I will follow up with bug reports and try to report patch or fix
real bugs when relevant;
- I will read coding standards and follow them to the letter;
- I am rather focused on security, which — I think you'll agree — is
quite important for a package as Auth_SASL;
- as long as I will be maintainer, I won't abandon the package. I may
not implement crazy new features and mechanisms every day; but I will
answer to reports in a civil manner, try to fix what I can fix, and so
on. I don't plan on being a ghost maintainer, coming in, making some
things for 1 month, then disappearing forever. I am more a low but
constant maintenance type.

Now my background: apart as a user for some years, I never had a
relation with PEAR. So that part would be new for me. But I am not a
newcomer in development or the specification world.

As a developer, I have worked for some years as engineer for a French
business software company (Systar) and I am currently the Senior
Application Developer for the startup myGengo (working mainly on PHP).
On the side, I work with PHP for some years, in particular on
Wordpress plugins:
- Jabber Feed: http://wordpress.org/extend/plugins/jabber-feed/
- XMPP-Authentication: http://wordpress.org/extend/plugins/xmpp-auth/
On both these plugins, I use Auth_SASL, and I want to update Auth_SASL
because XMPP recently updated its authentication recommendation to
using SASL-SCRAM (see RFC-6120).

Also, not PHP, but I have already written a full SASL implementation
in ObjectiveCaml (for the Ocaml XMPP library I am writing), with in
particular the SCRAM mechanism:
http://git.tuxfamily.org/?p=gitroot/ocamlxmpp/ocamlxmpp.git;a=blob;f=trunk/src/crypt/SASL.mli;h=2c98d39e89a97915601f2283161fe55d2aa64940;hb=HEAD
Note that this is not a C wrapper, this is a fully native OCaml
implementation that I wrote, just as Auth_SASL is a native PHP
implementation.

In the Standards world, I have also quite an activity in XSF (the XMPP
Standards Foundation) and some activity in IETF as well, in a few
specific fields (for instance, in RFC-5802, SASL SCRAM, you can see I
am the author of the 3 verified errata already approved:
http://www.rfc-editor.org/errata_search.php?rfc=5802 ).

As a conclusion, I think I am quite a good candidate to take over
maintenance over the currently abandoned Auth-SASL: I know well SASL
on the specification side; I have already written a native
implementation in another language; I use the package on personal Free
software projects (that I intend to have run on xmpp.org soon, the
official XSF website, when they get stable); and finally I work
currently as Senior Core Developer (with PHP as main language used) as
my daily job.
So I hope you will accept my candidature!
Thanks.

Jehan

Search Discussions

  • Jehan Pagès at Aug 22, 2011 at 8:24 am
    Hi,

    I have sent my "report of intention" (below) to take over the
    unmaintained Auth_SASL package, along with some background on myself,
    9 days ago but did not get any kind of answer.
    Has my email been considered?

    I hope I don't look like I am "pressuring" and guess you must have a
    lot of other emails. I was just scared my email might have been
    "forgotten" amongst the lot.
    Thanks.

    Jehan

    2011/8/13 Jehan Pagès <jehan.marmottard@gmail.com>:
    Hello,

    I am a user of the Auth_SASL package
    (http://pear.php.net/package/Auth_SASL/) for a few years now. And I
    see it does not have a maintainer lately. I am interested in
    particular by a given feature, which is adding the pretty "recent" (in
    Internet technology point of view) and very good SCRAM family of SASL
    mechanisms. See RFC 5802.

    So I won't lie to you: I won't pretend to try and improve this library
    a far as possible in supporting every possible SASL mechanism on
    earth. I will make in priority the implementations I am wishing for my
    own projects. If someone who promises to be much more dedicated than I
    am wishes to step-up, I will give the role with pleasure. Simply for
    now, I think that's sad that there is just no maintainer at all. So I
    propose to be this one.
    Now what else I can tell you I will do:
    - I will follow up with bug reports and try to report patch or fix
    real bugs when relevant;
    - I will read coding standards and follow them to the letter;
    - I am rather focused on security, which — I think you'll agree — is
    quite important for a package as Auth_SASL;
    - as long as I will be maintainer, I won't abandon the package. I may
    not implement crazy new features and mechanisms every day; but I will
    answer to reports in a civil manner, try to fix what I can fix, and so
    on. I don't plan on being a ghost maintainer, coming in, making some
    things for 1 month, then disappearing forever. I am more a low but
    constant maintenance type.

    Now my background: apart as a user for some years, I never had a
    relation with PEAR. So that part would be new for me. But I am not a
    newcomer in development or the specification world.

    As a developer, I have worked for some years as engineer for a French
    business software company (Systar) and I am currently the Senior
    Application Developer for the startup myGengo (working mainly on PHP).
    On the side, I work with PHP for some years, in particular on
    Wordpress plugins:
    - Jabber Feed: http://wordpress.org/extend/plugins/jabber-feed/
    - XMPP-Authentication: http://wordpress.org/extend/plugins/xmpp-auth/
    On both these plugins, I use Auth_SASL, and I want to update Auth_SASL
    because XMPP recently updated its authentication recommendation to
    using SASL-SCRAM (see RFC-6120).

    Also, not PHP, but I have already written a full SASL implementation
    in ObjectiveCaml (for the Ocaml XMPP library I am writing), with in
    particular the SCRAM mechanism:
    http://git.tuxfamily.org/?p=gitroot/ocamlxmpp/ocamlxmpp.git;a=blob;f=trunk/src/crypt/SASL.mli;h=2c98d39e89a97915601f2283161fe55d2aa64940;hb=HEAD
    Note that this is not a C wrapper, this is a fully native OCaml
    implementation that I wrote, just as Auth_SASL is a native PHP
    implementation.

    In the Standards world, I have also quite an activity in XSF (the XMPP
    Standards Foundation) and some activity in IETF as well, in a few
    specific fields (for instance, in RFC-5802, SASL SCRAM, you can see I
    am the author of the 3 verified errata already approved:
    http://www.rfc-editor.org/errata_search.php?rfc=5802 ).

    As a conclusion, I think I am quite a good candidate to take over
    maintenance over the currently abandoned Auth-SASL: I know well SASL
    on the specification side; I have already written a native
    implementation in another language; I use the package on personal Free
    software projects (that I intend to have run on xmpp.org soon, the
    official XSF website, when they get stable); and finally I work
    currently as Senior Core Developer (with PHP as main language used) as
    my daily job.
    So I hope you will accept my candidature!
    Thanks.

    Jehan
  • Christian Weiske at Aug 22, 2011 at 6:52 pm
    Hello Jehan,

    I have sent my "report of intention" (below) to take over the
    unmaintained Auth_SASL package, along with some background on myself,
    9 days ago but did not get any kind of answer.
    Has my email been considered?

    I hope I don't look like I am "pressuring" and guess you must have a
    lot of other emails. I was just scared my email might have been
    "forgotten" amongst the lot.
    I'm sorry nobody answered you yet.
    The next steps will be the following:
    - I move the Auth_SASL package from svn to github
    - After that, you can fork it and apply your patches
    - Send your patches/pull requests to the pear-dev/pear-qa and we'll
    have a look at them. If nobody answers, bug us and ask again.
    - After some good patches, you'll get full maintainer status.

    --
    Regards/Mit freundlichen Grüßen
    Christian Weiske

    -=≡ Geeking around in the name of science since 1982 ≡=-
  • Jehan Pagès at Aug 22, 2011 at 7:13 pm
    Hi,

    2011/8/23 Christian Weiske <cweiske@cweiske.de>:
    Hello Jehan,

    I have sent my "report of intention" (below) to take over the
    unmaintained Auth_SASL package, along with some background on myself,
    9 days ago but did not get any kind of answer.
    Has my email been considered?

    I hope I don't look like I am "pressuring" and guess you must have a
    lot of other emails. I was just scared my email might have been
    "forgotten" amongst the lot.
    I'm sorry nobody answered you yet.
    It's ok. I guess you see a lot of email passing every day. :-) I am
    used to development and standards mailing lists where you have to ask
    2 or 3 times before being noticed.
    The next steps will be the following:
    - I move the Auth_SASL package from svn to github
    - After that, you can fork it and apply your patches
    - Send your patches/pull requests to the pear-dev/pear-qa and we'll
    have a look at them. If nobody answers, bug us and ask again.
    - After some good patches, you'll get full maintainer status.
    Nice, thanks. I'll begin to code on SASL SCRAM then, since I have not
    encountered any bug yet in my use of the other mechanisms. :-)
    And in the meantime, I'll wait for a following email where you'll tell
    me where to get the package on github, I guess?

    Thanks for the answer anyway!
    Looking forward to working on this package.

    Jehan
  • Christian Weiske at Aug 22, 2011 at 9:12 pm
    Hello Jehan,

    The next steps will be the following:
    - I move the Auth_SASL package from svn to github
    - After that, you can fork it and apply your patches
    - Send your patches/pull requests to the pear-dev/pear-qa and we'll
    have a look at them. If nobody answers, bug us and ask again.
    - After some good patches, you'll get full maintainer status.
    Nice, thanks. I'll begin to code on SASL SCRAM then, since I have not
    encountered any bug yet in my use of the other mechanisms. :-)
    And in the meantime, I'll wait for a following email where you'll tell
    me where to get the package on github, I guess?
    The package is on github now:
    https://github.com/pear/Auth_SASL

    --
    Regards/Mit freundlichen Grüßen
    Christian Weiske

    -=≡ Geeking around in the name of science since 1982 ≡=-
  • Jehan Pagès at Sep 1, 2011 at 5:14 pm
    Hi,

    2011/8/23 Christian Weiske <cweiske@cweiske.de>:
    The next steps will be the following:
    - I move the Auth_SASL package from svn to github
    - After that, you can fork it and apply your patches
    - Send your patches/pull requests to the pear-dev/pear-qa and we'll
    have a look at them. If nobody answers, bug us and ask again.
    Ok so I made a patch for the SCRAM (RFC-5802) support.
    This is a full support of the "normal" SCRAM-* mechanisms without
    channel binding (so not yet the SCRAM-*-PLUS mechanisms).

    I hooked this to the hash extension (enabled by default since PHP
    5.1.2, a PECL extension for older PHP versions) but fallbacking to
    sha1 and md5 functions and a custom hmac otherwise.
    As a consequence, if the hash extension is available, it shall support
    SCRAM-MD5, SCRAM-SHA-1, SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384
    and SCRAM-SHA-512. Otherwise it will support "only" SCRAM-SHA-1 and
    SCRAM-MD5.

    I have also made a few naming improvements. The Auth_SASL factory
    (SASL.php) was accepting names like DIGESTMD5 or CRAMMD5. But they are
    not the official names (see the IANA registry:
    http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xml).
    In other words, it was impossible to use this factory in order to
    directly test and process a mechanism received during a SASL
    negotiation (for instance while connecting a XMPP, IMAP or POP server)
    and one had to keep a correspondance table between official SASL
    naming and this "custom" naming. Now the SASL names can be tried
    directly with their real name received on the wire.
    I still accept the custom naming too of course (the goal is not to
    break existing code!) but added a E_USER_DEPRECATED warning when a
    user pass such broken names as parameter.
    - After some good patches, you'll get full maintainer status.
    I hope this one will make it then! I have skimmed through the coding
    standards and hope I don't break too many rules. I saw the line length
    is not a strict rule for instance (I set 120 characters as my default
    vim configuration, and sometimes I even allow myself a little more if
    I think this will be nicer), so I hope that's not too big a problem.
    Don't hesitate to tell me though if there are some rules I should be
    stricter on myself about!

    I will have a few other features or fix of interest in the near future, I think.

    Oh and my SCRAM implementation is working and tested against a live
    XMPP server authentication (which worked perfectly).
    Thanks!

    Jehan
  • Jehan Pagès at Sep 1, 2011 at 5:15 pm
    Hey again!
    Common mistake, I forgot to attach the file! Here it is.

    Jehan

    2011/9/2 Jehan Pagès <jehan.marmottard@gmail.com>:
    Hi,

    2011/8/23 Christian Weiske <cweiske@cweiske.de>:
    The next steps will be the following:
    - I move the Auth_SASL package from svn to github
    - After that, you can fork it and apply your patches
    - Send your patches/pull requests to the pear-dev/pear-qa and we'll
    have a look at them. If nobody answers, bug us and ask again.
    Ok so I made a patch for the SCRAM (RFC-5802) support.
    This is a full support of the "normal" SCRAM-* mechanisms without
    channel binding (so not yet the SCRAM-*-PLUS mechanisms).

    I hooked this to the hash extension (enabled by default since PHP
    5.1.2, a PECL extension for older PHP versions) but fallbacking to
    sha1 and md5 functions and a custom hmac otherwise.
    As a consequence, if the hash extension is available, it shall support
    SCRAM-MD5, SCRAM-SHA-1, SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384
    and SCRAM-SHA-512. Otherwise it will support "only" SCRAM-SHA-1 and
    SCRAM-MD5.

    I have also made a few naming improvements. The Auth_SASL factory
    (SASL.php) was accepting names like DIGESTMD5 or CRAMMD5. But they are
    not the official names (see the IANA registry:
    http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xml).
    In other words, it was impossible to use this factory in order to
    directly test and process a mechanism received during a SASL
    negotiation (for instance while connecting a XMPP, IMAP or POP server)
    and one had to keep a correspondance table between official SASL
    naming and this "custom" naming. Now the SASL names can be tried
    directly with their real name received on the wire.
    I still accept the custom naming too of course (the goal is not to
    break existing code!) but added a E_USER_DEPRECATED warning when a
    user pass such broken names as parameter.
    - After some good patches, you'll get full maintainer status.
    I hope this one will make it then! I have skimmed through the coding
    standards and hope I don't break too many rules. I saw the line length
    is not a strict rule for instance (I set 120 characters as my default
    vim configuration, and sometimes I even allow myself a little more if
    I think this will be nicer), so I hope that's not too big a problem.
    Don't hesitate to tell me though if there are some rules I should be
    stricter on myself about!

    I will have a few other features or fix of interest in the near future, I think.

    Oh and my SCRAM implementation is working and tested against a live
    XMPP server authentication (which worked perfectly).
    Thanks!

    Jehan
  • Christian Weiske at Sep 5, 2011 at 5:12 am
    Hello Jehan,

    Ok so I made a patch for the SCRAM (RFC-5802) support.
    This is a full support of the "normal" SCRAM-* mechanisms without
    channel binding (so not yet the SCRAM-*-PLUS mechanisms).
    Common mistake, I forgot to attach the file! Here it is.
    Ken applied your patches and released a new version of Auth_SASL.

    --
    Regards/Mit freundlichen Grüßen
    Christian Weiske

    -=≡ Geeking around in the name of science since 1982 ≡=-
  • Jehan Pagès at Sep 5, 2011 at 6:52 am
    Hi,

    2011/9/5 Christian Weiske <cweiske@cweiske.de>:
    Hello Jehan,

    Ok so I made a patch for the SCRAM (RFC-5802) support.
    This is a full support of the "normal" SCRAM-* mechanisms without
    channel binding (so not yet the SCRAM-*-PLUS mechanisms).
    Common mistake, I forgot to attach the file! Here it is.
    Ken applied your patches and released a new version of Auth_SASL.
    Nice thanks!

    Jehan

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppear-qa @
categoriesphp
postedAug 13, '11 at 7:12a
activeSep 5, '11 at 6:52a
posts9
users2
websitepear.php.net

2 users in discussion

Jehan Pagès: 6 posts Christian Weiske: 3 posts

People

Translate

site design / logo © 2022 Grokbase