New maintainers

[autrilla]

It's quite apparent to me that neither @ajvb nor me currently have enough time to maintain the project, with PRs sitting unreviewed.

I think it's time to look for some new maintainers. I don't know how that looks like from Mozilla's point of view.

[budimanjojo]

I can't find any other secret management that is better than sops right now. Using it to encrypt my fluxcd gitops and ansible decryption right now. I just hope you can at least update the required libraries so it doesn't break in the future. It will be sad if this goes down 😔

[Enrico204]

I'd like to know what is the position of Mozilla, and if there is any requirement (or something like that) that a new maintainer should do.

I know Go, I was thinking about stepping up for this. In that case, I'd be glad to have some help by others, tho (at least another 1-2 maintainers), as I never managed project at this scale :-)

[felixfontein]

I'm also happy to help, though my time is limited (i.e. there are too many other projects I'm involved in :) ) and I think I can only help well with some aspects of the project.

[jvosantos]

I very much agree with the above said, it's said to see this project die, as it is quite useful.
I was hoping that being backed by mozilla it would give it more support and less an issue regarding if the project is dead. It has been some months since a commit has been merged. Any news on this matter?

[macedogm]

I echo @Enrico204's words. I'm willing to help maintain SOPS too, with some initial guidance from the current maintainers. SOPS is an amazing project to let it die.

[budimanjojo]

maybe fork it? 😊

[Enrico204]

No need to fork if original maintainers can grant access to this repo. However, I would like to hear from them some words about my message (about Mozilla position on this, and other things)

[budimanjojo]

Maybe at least pin this issue or add it to the README so things can get sorted out faster.

[Moskovych]

Is there any new about position of Mozilla?
Maybe we should start conversation with them?

I'm not good at Go so far, but using this tool as well, and don't want to let it die.

[mitar]

Any update on this? Maybe in meantime we could at least merge some minor PRs like README fixes and other bugfixes? There are like many PRs fixing README for age key paths, for example. So going over all PRs and merging those would take only few hours I think. I can also help with such a pass (so just documentation and simple bugfixes, no features being added). This could improve experience with current version of the tool, while going over other PRs could be then left to the new managerial team.

[zchee]

I got https://github.com/go-sops organization. any chance to fork them?

[mitar]

I currently have a fork in https://github.com/tozd/sops, but maybe we should wait a bit more before really forking a project itself (and not just code).

[onedr0p]

It's been nearly 6 months and doesn't look like any of the maintainers have responded to any questions or suggestions here, maybe they need more time? Maybe they're completely mentally checked out of this repo? 😞

[hoegertn]

@autrilla @ajvb Any updates?

[pivotaljohn]

I think it's time to look for some new maintainers. I don't know how that looks like from Mozilla's point of view.

@autrilla — is there any way of identifying and pinging someone from Mozilla to clarify that company's sponsorship stance?

[mhoye]

Hi, everyone - mhoye here at Mozilla. I'm looking into it.

[jr0dd]

@monadic ^^

[chris-short]

Any update?

[MaxPeal]

shut we collect, in this discussions, a list with the Priority ToDos?
please vote for it with 👍/👎

[ThomasSteinbach]

What do you mean? How should that bring value to this discussion? Focus should be recruiting a new maintainer.

[rforsythe]

Hi all, I’m the new Security Engineering manager here at Mozilla. I wanted to update the community on our current status and future plans for the SOPS tool.

While the project does appear stagnant at this time, this is a temporary situation. Like many companies we've faced our own resource constraints that have led to SOPS not receiving the support many of you would have liked to see us provide, and I ask that you bear with us a bit longer as we pull this back in. I'm directing some engineer resources towards SOPS now and growing my team as well (see below, we're hiring!), so we expect to work on the SOPS issue backlog and set our eyes to its future soon.

I realize there is interest in the community taking over SOPS. It may go that way eventually, but at the moment SOPS is so deeply integrated throughout our stack that we're reluctant to take our hands completely off the wheel. In the longer term we'll be evaluating the future for SOPS as we modernize and evolve Mozilla's tech stack. At present it serves some important needs however, so for at least the next year you can expect Mozilla to support both the tool and community involvement in its development.

Lastly, as I noted above I am growing my team! If working on tools like SOPS or exploring other areas of security involving cloud, vulnerability management, fraud, crypto, or architecture sounds interesting to you, see our job link below and apply! I have multiple roles open and these are fully remote across most of US, Canada, and Germany.
https://www.mozilla.org/en-US/careers/position/gh/3605345/

Thank you,
rforsythe

[simcax]

How is this coming along?

[ThomasSteinbach]

Seems like SOPS hasn't reached a safe harbour :/

[onedr0p]

Issues and PRs are continuing to grow @rforsythe are you still around at Mozilla?

[schuerg]

Are there any news or plans for the future of SOPS?

[mhoye]

Hello, everyone -

Mike Hoye here, mhoye at Mozilla.

I'm working on this now, and will have more details - and I expect good news - before the end of this year.

[onedr0p]

I'm curious to see what you have in store but it would be nice to get some non-Mozilla employees as co-maintainers on this project so we're not stuck in situations like this in the future. I don't want to speak for other people but I bet popular projects that implement SOPS (flux2, ksops etc..) would help co-maintain this project.

Maybe Mozilla could donate this to its own sops Github org and ask for help maintaining it?

[jkroepke]

@mhoye Did you get the good news before end of last year?

[ChrisJBurns]

@onedr0p I agree! Spotify did a similar thing with Backstage (its developer portal) this allowed them to still have control, but also invite community members (such as myself) to help maintain it - without worrying about access to it's main Github organisation.

[ThomasSteinbach]

Define "this". Which year u mean? ^^

[onedr0p]

To put it a bit more constructively, @mhoye it's been over 2 months. Do you have any updates?

[jgournet]

@mhoye :
Has there been any updates on this topic ?
Thanks for your help

[makkes]

SOPS has applied to be adopted into the CNCF sandbox: cncf/sandbox#28

[mhoye]

Thank you to everyone who's helped us get to this step in the process, we're looking forward to seeing it through to its conclusion.

cncf/sandbox#28

[felixfontein]

Is there any estimate how long it will take until this process progresses? cncf/sandbox#28 basically looks the same since February 17th, and nothing happened in this repo either.

[hiddeco]

Last email contact I had with folks from Linux Foundation / Mozilla was last week, so it’s absolutely still being worked on.

I can’t give further estimates, as the bit of work that prevents me from gaining (write) access to this repository is mostly (legal) paperwork, out of my control.

[chris-short]

Congrats on entering into the CNCF Sandbox! https://lists.cncf.io/g/cncf-toc/message/8006

[ChrisJBurns]

Fantastic!! 🍾 Excited to look forward to seeing some traction in the issues/PR areas 😄

[danielhanold]

Very exciting news!!! Congrats all around.

[kuzaxak]

Amazing. Congrats!

[rkalkani]

Wow! Congratulations

[slimm609]

now that it has been accepted, what is the process or next steps to get activity flowing on this project? There are several outstanding CVEs in dependencies and bug fixes that are needed

[jkroepke]

I have the personal feeling that the project is a CNCF sandbox project now, with the same numbers of maintainers: 0

@mhoye do you have an update for us?

For is response at mozilla for decide and invite new maintainers for sops?

[jkroepke]

maybe @hiddeco has some insights for us.

[onedr0p]

I think we're just waiting on the repo to be transferred. Keep an eye out here.

https://github.com/getsops

[jkroepke]

@onedr0p do you know any ETA for the transfer?

[hiddeco]

We are (still) awaiting signing of paperwork and actual transfer of the repository. Which is all beyond our control, but eagerly being worked on by others.

[vmatsiiako]

[0dragosh]

This is extremely distasteful. As stated they're just waiting for the repo to transfer.

[hiddeco]

As you all can see, the repository has been transferred from https://github.com/mozilla to https://github.com/getsops. This means that from now on, the maintainers as documented in cncf/sandbox#28 are active.

We need to do a bit of due diligence to finish the CNCF Sandbox onboarding, and to keep our promises to Mozilla. Given this, it will take a bit of time to adjust the repositories (including the release automation), before getting started with actually rolling out the long overdue patch release.

This patch release will be aimed at solving the most primary bugs that have a low risk of breaking other things, and may not include everything that is at present on the (immense) backlog. Please bear with us while we try to work through everything (including issues), this may take some time.

Lastly, I want to thank you all for your extreme interest in keeping this project alive, and the patience you have had while we at times appeared to go radio silent. Transfers like this are not the easiest to do quickly, and I understand this can have been frustrating. Nonetheless, we were able to keep things humane and friendly, which is worth a dedicated mention and compliment.