Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

Security Patches after EOL? #16895

Open
1 of 4 tasks
dambrosiomike opened this issue Aug 12, 2019 · 22 comments
Open
1 of 4 tasks

Security Patches after EOL? #16895

dambrosiomike opened this issue Aug 12, 2019 · 22 comments

Comments

@dambrosiomike
Copy link

AngularJS is in LTS mode

We are no longer accepting changes that are not critical bug fixes into this project.
See https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c for more detail.

I'm submitting a ...

  • regression from 1.7.0
  • security issue
  • issue caused by a new browser version
  • other

Current behavior:

Expected / new behavior:

N/A

Minimal reproduction of the problem with instructions:

N/A

AngularJS version: 1.7.x

N/A

Browser: [all | Chrome XX | Firefox XX | Edge XX | IE XX | Safari XX | Mobile Chrome XX | Android X.X Web Browser | iOS XX Safari | iOS XX UIWebView | iOS XX WKWebView | Opera XX ]

N/A

Anything else:

I know the guidelines say to submit questions to stack overflow but this is a direct question for the current maintainers of the AngularJS framework and the community.

As we all know, AngularJS is reaching EOL at the end of June 2021. With that, my understanding is that the AngularJS team won't support the framework anymore, including fixing security vulnerabilities.

As I work for a Large Corporation(™) I have the pleasure of being required to maintain various compliance standards. One of these states that we cannot use any library or framework that is no longer maintained. In our use case, it means that we only need to ensure that security patches are applied in order to maintain our compliance standing.

What I wanted to know is whether or not there were any plans for this project to be handed over to another entity for security updates. I understand that this is open source and that folks can fork the project, but I wanted to understand my options (as we have about 200k lines of code leveraging AngularJS).

I know that for other things, like Python 2, there are companies offering support contracts past the EOL date that can be purchased for enterprise usage. Is this something that is going to happen for AngularJS or will we be able to maintain the framework past EOL for free?

Thanks again, and apologies for filing this in the wrong place.

@wuzhenda
Copy link

I think the angularjs is better than angular,hope some organization continue to support angularjs.

@ravisalunkhe85
Copy link

+1

@SFoster84
Copy link

Personally, I love AngularJS, it's been my framework of choice for a while (there's a simplicity to it that is not replicated in Angular IMHO) - plus, it has a wide variety of plugins which not all have been replaced with angular versions.

That said, it's going to be rough going to stick with it, like python2, authors will drop support for their plugins, and the framework will fall out of date, I think most corporate settings will have to have migration plans either to upgrade their projects or move their customers to other applications/services and in some cases they may have to discontinue support for things they're providing now.

Fortunately 2021 gives you some time, but I think regardless of what people feel about the framework, EOL has a fairly predicable outcome and the only other option will be if someone can make a business supporting and patching AngularJS they way Python2 companies like ActiveState are attempting, but it's a gamble that a company or companies can make a viable businesses supporting AngularJS.

@LordDashMe
Copy link

+1

@GuzmanPI
Copy link

Amazing news for all the AngularJS Projects out there! 👏🏾

@aaronfrost
Copy link
Contributor

aaronfrost commented Jun 12, 2020

There is now an offering to support security patches to AngularJS after the LTS is over. You can find out more here: xlts.dev/angularjs. It was introduced at ng-conf: Hardwired this year.

@nightmarez
Copy link

There is now an offering to support security patches to AngularJS after the LTS is over.

They want money 👎

@philgriffin
Copy link

Can anyone explain what versions are currently in support?

https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

@mgol
Copy link
Member

mgol commented Aug 5, 2020

Can anyone explain what versions are currently in support?

https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

Only versions listed there are supported in any way. 1.4 is not supported.

@philgriffin
Copy link

Can anyone explain what versions are currently in support?
https://docs.angularjs.org/misc/version-support-status#blog-post only mentions 1.2x and 1.8, is 1.4 still receiving security patches and in support until July 2021?

Only versions listed there are supported in any way. 1.4 is not supported.

Thanks, that was my assumption given their omission but wanted to check.

@ghost
Copy link

ghost commented Aug 23, 2020

I'm here because angular v>2 can't do runtime compilation. I'm storing templates on a blob and needs to be rendered at runtime. and migrating my code here is faster than migrating my code to react. angular/angular#15275 (comment)

Looking at angularjs, it is really good. It has room for performance optimization like modular loading of the ng core module. I just hope it stays stable even after LTS. and hopefully be immortalized like jquery.

@bertysentry
Copy link

You're not alone!

I'm sure there are people willing to maintain this open source project for free. Why the Angular team wouldn't let users take over officially?

It's a beautiful project, which has been transformative for the entire Web development community (much like jQuery). It still has thousands of projects relying on it. And these projects are not going to be migrated to Angular2/4/5/6/7/8 (they would have done so already).

If the Angular team is really going to give up on AngularJS, we need them to coordinate the takeover effort so that another team can officially maintain the project.

@noahlz
Copy link

noahlz commented Oct 4, 2021

Why the Angular team wouldn't let users take over officially?

...It's open source? You can certainly fork the project...? This has happened with many other widely-adopted OSS projects such as MariaDB (fork of MySQL), Crossroads I/O (fork of ZeroMQ), etc.

As for XLTS.dev wanting money for security fixes of AngularJS post-EOL.... what is wrong with experts being compensated for their work...? I'm struggling to see the issue there.

@petebacondarwin
Copy link
Member

petebacondarwin commented Oct 4, 2021

If the Angular team is really going to give up on AngularJS, we need them to coordinate the takeover effort so that another team can officially maintain the project.

The Angular team currently has no intention of officially passing the project to a new maintainer. Since it is open source, it is possible to fork and setup your own ongoing maintenance of this project. Since it is in LTS (and shortly EOL) there are no expected upstream changes that you would need to keep in sync with.

@bertysentry
Copy link

@noahlz While I'm 100% with you on compensating people for their work, I hope you realize that having to pay for security fixes contradicts principles of both open source and security?

Also, having multiple forks of the repo with various minor updates and security fixes is just going to create uncertainty in the community of developers relying on this (awesome) framework.

I guess at some point the documentation site is going to be taken down as well, so do we need to archive that as well, just in case?

@noahlz
Copy link

noahlz commented Oct 4, 2021

I hope you realize that having to pay for security fixes contradicts principles of both open source and security?

Where in Open Source manifestos etc. does it say that when the core committers behind a project declare it End of Life that they should continue to provide critical security fixes for free? It's...end of life.

XLTS.dev is going to fork AngularJS and provide security fixes past end of life...They are asking to be compensated for this effort. I'm struggling to find a problem with being paid for labor.

If another person / team wants to fork AngularJS and provide the same CVE fixes for free ... I'm sure the community would be very excited for that!

@petebacondarwin
Copy link
Member

petebacondarwin commented Oct 4, 2021

I guess at some point the documentation site is going to be taken down as well, so do we need to archive that as well, just in case?

There are no plans to take down this site.

The good news is that it is very easy to generate and host the documentation locally. The following should do it:

git clone https://github.com/angular/angular.js
cd angular.js
yarn
yarn grunt package
yarn grunt webserver

Then you can access the docs at localhost:8000/build/docs

@bertysentry
Copy link

Geez @noahlz! What percentage of the thousands of developers using AngularJS will subscribe to this maintenance service? My guess: a small fraction. The rest will either migrate to Vue.js (and pray it doesn't go the same route), or simply keep unpatched AngularJS (because of lack of knowledge, lack of will, lack of expertise, lack of time, etc.), with vulnerabilities well documented for "bad guys" to use it.

IMO Google could have taken over officially (and subcontracted to XLTS if they don't have the resources to do it internally). But I'm not going to keep deluding myself here: looks like the end of the road for AngularJS. 😥

@noahlz
Copy link

noahlz commented Oct 4, 2021

https://angular.io/guide/upgrade

The economics of Open Source are certainly something!

@AlonBe
Copy link

AlonBe commented Oct 4, 2021

@bertysentry, take a look at the the facts:

  1. Angular 2 first release candidate was published in May 2016.
  2. AngularJS author, Google, annouced in January 2018 that AngularJS will enter a 3 year Long Term Support period (e.g. end-of-life in 3 years, there was an extension to December 31 2021 due to Covid-19).

So as I see it, Google published a newer version 5+ years ago. (warning No.1 to anyone who uses Angular 1.X AKA AngularJS)
In addition, they told the entire community that in 2021 AngularJS will enter its EOL (warning No.2)

That's how open source works and the author did its best to prompt about it years in advance.
So I don't see anything wrong here. applications which still depends on out-of-dated libraries should take that into consideration and act accordingly years in advance, or fork\pay to any experts if they decide to still depend on that library.

You just said it: EOL (end-of-life) is exactly the end of the road for AngularJS.
Nothing wrong here 🤷‍♂️

@bertysentry
Copy link

@AlonBe I know the story of Angular 2: it was no longer Google, it was a fresh reboot, they started from scratch, and AngularJS users didn't like it. There was no migration path and the ecosystem was weak. Angular itself saw major breaking changes later on.

You guys are right though: nobody paid nothing to Google for AngularJS, therefore they owe us nothing at all. So they did nothing wrong, and I'm thankful they created this excellent UI framework and provided it for free to anyone.

I just wish Google would take a page from Microsoft's book: years after the official extended end-of-life of Windows XP, Microsoft still provided critical security patches to the venerable OS. Just because it would make the overall Internet safer (and because people were pointing their finger at them).

Now, long life to VueJS.

@glauberramos
Copy link

glauberramos commented Dec 14, 2021

Any plan to have an open-source version with fixes for security issues after EOL? That would be very good for the thousands of applications still using angularJs

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests