acquire permissions on the Fernet spec, or fork it

[chadwhitacre]

The Fernet spec is an important dependency for Cryptography, and it is moribund. The last commit was 18 months ago. PRs and issues languish:

• trivial, e.g. Update Readme fernet/spec#10
• non-trivial, e.g., require strict base64 decoding fernet/spec#11
• important: Signing-key length is not too small? fernet/spec#8, Introduce version 0x81, including microsecond timestamps fernet/spec#13

A Google search [snapshot] suggests that Cryptography is the primary consumer of the Fernet spec. Having hitched the Cryptography wagon so strongly to such a boutique protocol, it seems untenable to disavow responsibility now that the Fernet maintainers have gone AWOL. Have they gone AWOL? Yes: asking, "Is this project still being maintained?" means it is not.

Cryptography should attempt to take over maintenance of the Fernet spec repo on GitHub. If that doesn't work (and assuming we don't want to start phasing out Fernet entirely), Cryptography should fork the Fernet spec—perhaps after pausing once again, "to ask ourselves about the ethical implications of writing this stuff ourselves: Are we qualified to do this?"

[reaperhulk]

I appreciate the time and care you're taking in your due diligence on this. We're aware of the current state and working on ensuring the spec doesn't languish. At the moment we feel the outstanding issues don't justify a fork (with all the accompanying major challenges that represents, including defeating the whole idea of an interoperable spec) and we still believe we can work with the current maintainers in the long term. If that fails we would consider transitioning to an alternate construction (although if JWE lands in cryptography then an alternative would already be available).

[chadwhitacre]

We're aware of the current state and working on ensuring the spec doesn't languish.
we still believe we can work with the current maintainers in the long term

@reaperhulk Okay. In that case, I would propose reopening this ticket, retitling it, "ensure the spec doesn't languish," and tracking our efforts here. It's not obvious that we've in fact been working on this. Have we emailed them privately? Have we reached out to them on Twitter? In real life? From where I sit, I'm seeing radio silence from them, and resignation from Cryptography (though I haven't searched IRC yet ...).

[reaperhulk]

Not all our discussions take place publicly (e.g. they may happen in alternate IRC channels, personal emailing, or occasionally in person conversations when team members meet at conferences like PyCon). This is not the level of transparency that a project like Gratipay uses for its own purposes, but has proven workable for us. As a result, sometimes the public record may not reflect the consensus of the project on topics that don't get much attention (like this one). And of course individual opinions may vary. :)

We have reached out privately to talk to them about maintenance questions around the repo.

[chadwhitacre]

Not all our discussions take place publicly
This is not the level of transparency that a project like Gratipay uses

For the record, not all of Gratipay's discussions take place publicly. @kaguillera and I have the good fortune of being able to work together on Gratipay, in person, two days a week, and of course we have many conversations throughout the day, and neither of us is Steve Mann. ;-) However, we do try to publicly log summaries of our conversations, and we especially try to avoid making decisions in private conversation. There are important exceptions, of course, which Gratipay tries to clearly document. "The exceptions are legal, safety, security, and support matters."

The reason Gratipay operates this way is to help keep itself honest. Fwiw, it seems to be working. :) For example, when Gratipay was called out publicly on some questions about its legal basis, it was unable to simply sweep them under the rug. There are similar questions to be raised about some of Gratipay's competition, but as closed organizations they're able to proceed without resolving the questions as clearly. Gratipay's practices around transparency are in service of accountability.