How Maintained Is ORAS? #207
Comments
|
ORAS has active development, but it's not intended to be so active as to become unstable. The 30 commits reflect the effort, while not changing so much it makes it difficult to adopt. @shizhMSFT, @deitch has been active, as well as @jdolitsky being key to the original creation. The recent security release was a key focus to assure we were doing the right thing for the community to assure we fixed the security issues, without breaking consumers. If there are blocking requests, please do open issues, and we're happy to review and accept additional PRs. As for ORAS being a Microsoft vs. community project, Microsoft contributes to, and sponsors it's getting the TLC needed. However, I wouldn't call it a Microsoft owned effort, any more than any one company owns many of the OSS efforts. Looking at the maintainers, you can see we have a breadth of owners. If you'd like to contribute, we're always looking for contributions. |
|
Closing as resolved with no action item. |
ORAS is beginning to be used by a number of projects. On Helm, we would like to move our OCI integration to GA. I'm also aware of other projects using ORAS.
But, the last release to ORAS was 11 months ago and there has only been ~30 commits since then. ORAS depends on outside packages that have had security fix releases that ORAS has not released with. As a v0.x release there is no v1 yet and does not appear to be a push for one. Looking at the merge history, all recent merges were performed by Josh. Josh does not work for Microsoft and this is a Microsoft project.
Is this project supported by Microsoft any longer? If not, does it need to be moved to a vendor neutral location and have other parties help Josh manage it? Or, is Microsoft going to invest in it?
The text was updated successfully, but these errors were encountered: