Then it's up to the consumer to judge that themselves. One component of the liblzma backdoor was that distros were already linking to those tarballs. That wouldn't happen here as the repo will essentially freeze.
This really goes to show you how valuable a good experience / API is.
PiVPN is so easy to use. You run 1 command and pass in the name of the config to generate and you're done. Now you can take that config and use it client side.
I've used it on Debian servers (not a Raspberry Pi) and it's been flawless to onboard a bunch of folks into using a VPN (work related).
IMO there's no way this project will fail, someone will fork it.
curious to hear does anyone know what the mentioned alternatives are? a super simple to use wireguard control plane is super valuable and PiVPN seemed to fit that gap perfectly
unfortunate that it's come to an end but it's nice to hear the maintainer moving on in such a positive way :)
After meaning for years to spend the 2-3 hours I’d need to set up wire guard and get all my devices on it that I’d want on it (it’s a bit fiddly and time consuming, and inevitably with projects like that, there’s some dumb problem that comes up that wastes a bunch of time) I just did the free tier of Tailscale.
Server, two Apple TVs, a couple phones, a tablet, and a laptop all on it in like 15 minutes flat. With one of the Apple TVs configured to act as a gateway, too.
Thanks to the maintainers of the project. It is a handy tool, a good wrapper around setting up simple wireguard quickly. And it pairs with pihole really well.
I migrated to OPNSense for my DNS and I haven't needed VPN for a little bit. But I kind of disagree that there is no place for a simple CLI tool for wireguard user management.
I was going to make a comment about how unreasonable it is to shut the project down instead of letting someone else take it over. But two things come to mind: First, yes, people can fork it and develop it on their own. Second, right after xz, maybe it would seem unwise to endorse a stranger taking over your security project.
PS: PiVPN isn't wireguard itself. Assuming WG's command line doesn't change radically for a while, PiVPN is still completely usable and people don't need to rush to get off it.
This is the best way to conclude a project like this, I wish more clear cut "this is the end" choices were made. An ecosystem with zombie projects isn't healthy.
> I've been giving less and less attention to PiVPN, and the desire to keep up with it is no longer what it once was.
I wonder if financial/monetary incentive would change this. I don't think it would personally (because putting a value on your free time/mental load/time you can spend with your loved ones doing something else away from the PC is precious)
On the flip side... $500/mo? $1k/mo? $5k/mo? I'm sure most projects that go "defunct" open-source-free-no-financial-incentive-thanklessly-help-build-something could probably find "motivated maintainers" for $3k/mo on average? Internationally?
Is the "capitalist" answer "this repo and all of its efforts are not worth $3k/mo to the open market"?
A lot of these projects are made in people's leisure time, without profitability, for other fellow geeks, and the users also uses them in their hobbies. And as fellow geeks, we are more likely to be financially poised to be on the other side of the equation: getting paid to write code, rather than being able to pay a developer's wage, at least not in the long term, not in any maintainable manner. Can you afford to pay yourself 3k/month to maintain such a project, without any profitability, just for a hobby?
Agreed. Also often the gap between what people will pay for a hobby project and what money is being made at a tech company by the people who have the hobby is vast. Sometimes there are contractual restrictions on taking money from other jobs simultaneously that complicate it.
>You could probably get someone, but would you get someone good (competent, trustworthy, etc)?
The same could be asked of people who work on open projects for free, could it not?
Is a financial reward (or lack of such reward), in and of itself, some sort of implicit indicator of the quality of the person putting forth the effort?
> Is a financial reward (or lack of such reward), in and of itself, some sort of implicit indicator of the quality of the person putting forth the effort?
It is an implicit indicator of how much that person cares about the project.
I don't think we need to make a study of it to be sure that GitHub and Sourceforge are rife with free software ("free" in terms of beer, and in libre, and also in compensation) in various states of incompletion, haphazard execution, and sheer abandonment.
I mean: The open-source community has certainly produced a ton of excellent software for free, but it has also produced (and published) a lot of false starts, loose ends, broken or forgotten code, and unfinished or unpolished work.
Open-source volunteerism is awesome, but it isn't all ponies and rainbows.
Perhaps the author(s) of some of these things might care more about finishing and maintaining them if their ongoing efforts were producing a meaningful amount of money as a reward.
> Perhaps the author(s) of some of these things might care more about finishing and maintaining them if their ongoing efforts were producing a meaningful amount of money as a reward.
Have you looked at the average state of commercial software lately?
Yes, it seems to be much worse than it used to be in (pick a timeframe that relates to your own rose-tinted "back in the day"), but some of it is excellent.
Does any of this somehow mean that a financial incentive must make free (beer and libre) software worse?
If so, why and how?
It does not to follow, for me, that rewarding software authors with money must make things worse.
I've personally put a fair amount of money into various tip jars for free software authors who create stuff that is important to me. There is no part of me that thinks that me doing this somehow disincentivizes them from continuing to do outstanding work.
Maybe not quality of the person, but quality of the job done, absolutely.
When working for free on my hobby projects, I do my absolute best. Now try to pay me $3.50 per hour for similar work (strictly +Infinity% more than before!), I'll probably flat out refuse / won't focus on it as much.
Why? I wish people would put their projects in something like https://www.codeshelter.co so anyone who's interested can maintain them, instead of just killing them.
You can maintain it right now. Make a fork, and continue development. You might even get some shoutout from the original devs. It's all open source after all, making this repo read-only doesn't mean the project's dead if the community is vibrant enough.
The community matters. It's one thing to get control of the official websites, official packages, etc, and another to have to tell every single user "come use my fork".
There are accidents on the highway, planes crash, fires in buildings, etc. Let's reason about Jia Tan - a problem, not a danger to all of FOSS - not, like everything else these days, just embrace ignorant fears.
It's cool to destroy social trust, to deny it and abandon it. The counterargument is right in front of your nose - the incredible, infinite, world-changing world of FOSS. Think of all those amazing projects, social trust working over and over and over.
You're going to throw all that out over one guy? The only thing we have to fear is fear itself.
This is not what I meant. But I prefer a fork of an abandoned project which needs to gain new trust to be installed instead of a new release pushed through an auto update after 3 years that installs malware.
The parent comment was not about someone from the community taking over (which to be honest was the case in the xz story) but about posting the project on a „projects without maintenance“ site for any random person to take control.
So you're saying that if projects continue choosing to sunset without handing over the keys to the kingdom, open source will stop existing?
This is simply not even close to true.
Edit: I can't reply to your reply, so here will do. You've completely ignored my main point. I get that you want projects to pass on the torch, but saying open source will otherwise die is ridiculous.
> "But I want and can maintain it, can I take it over?" Let me put it plain and simple: No! I don't know you, I don't trust you! Fork it and carry on!
For something security critical like VPN, ownership change is a big deal. Users trust project's reputation. So if there is not a a trusted successor, shutting it down is way better that giving it up to unknown people.
That's not what they meant at all, don't be obtuse. The community exists around the project (in this case the repo and associated website etc). If you fork it then you have to hope that the community follows you to your fork and that then everyone coalesces around it. This isn't guaranteed to work though, so passing the existing project onto a new maintainer is a much better way of retaining the existing community. That is what was meant when talking about the community.
The earlier comment is concerned for the users being orphaned by the project they used. The project is concerned with protecting the trust the users placed in the project by using it.
To trivialize the concern of the project seems worse because it prioritizes convenience in a particularly sticky area (security/privacy) as well as forcing a less informed choice on the user (who they are trusting).
There's probably a nice parallel here where we consider the NRL's role in Tor and how FOSS practices, EFF funding, and transparency meant it preserved user trust.
The maintainers are vetted before joining, and are removed if they do something untoward, but when the choice is between killing the project or giving it to some random person, Code Shelter provides a better alternative.
What if they pass the joining process but then later sneak something in that goes undetected until things go boom? There are alternatives, you can fork the original project, and things will go on. As others have said too, you can just update the underlying software and there's a good chance that the wrapper itself will continue functioning, providing there are no giant breaking changes and by that point, a fork or alternative will likely have handled it.
What if there's no joining process, and they contact a maintainer directly, and peer pressure them to hand over the project, and the maintainer does, and then they sneak a backdoor in some binary test files?
That scenario is exactly what PiVPN is avoiding by refusing to nominate a new maintainer and telling interested parties to fork--so what is your actual and concrete objection?
> I wish people would put their projects in something like https://www.codeshelter.co so anyone who's interested can maintain them, instead of just killing them
So to me that says you want it both ways, for while I appreciate what the codeshelter folks are trying to do, it is a task that is going to turn out Sudden But Inevitable Betrayals. Instead of contacting a maintainer directly, they just look sufficiently polished that codeshelter says "yeah, sure, OK" and hands it over.
Forking the project and earning your own trust really is the safe path forward.
Anyone got a recommendation for a router with Wireguard support baked in? I've been running PiVPN on a separate box but since I need a new router anyways and it's not going to be supported, that might be a viable replacement.
Recently we needed a customer in a different country to be able to connect to a wireguard instance and I didn't want to deal with the support headache of walking them through the flashing process. While I was looking for devices that come with OpenWRT preinstalled, I came across FriendlyElec that looked quite decent.
Eventually we ended up building a custom Raspberry Pi image.
Ubiquiti UDM-Pro has it, but I'm not sure how they're regarded in popular opinion these days. I've had good luck with everything but the PoE on mine, and they gave me a free injector to fix that.
You can easily install Wireguard on EdgeOS (VyOS fork) 1.x and 2.x and 3.x will have it natively. The OS is kind of RIP otherwise, so I cannot recommend it, but Ubiquiti just released a new UnifiOS-based router with 5 2.5 GHz ports saturating 1.6 GHz with IDS. That, or some random AliExpress x86-64 router with OPNsense.
Eh, I just wanted to migrate to this, a lot of threads recommend it as the best way to effortlessly set up Wireguard. WG-easy, Headscale have their own set of problems. I guess there will be forks.
> WireHole is a combination of WireGuard, Pi-hole, and Unbound in a docker-compose project with the intent of enabling users to quickly and easily create a personally managed full or split-tunnel WireGuard VPN with ad blocking capabilities thanks to Pi-hole, and DNS caching, additional privacy options, and upstream providers via Unbound.
Crazy to abandon a 6.4k star project that presumably many people are actively using… I know maintenance of OSS projects can be burdensome but there’s usually some in the community that are eager to chip in with PR reviews and handling issues. I’m surprised they aren’t interested in pivoting the product in the same general direction but giving it some novel features or something.
Why is it crazy? If it no longer aligns with the maintainer’s interests or energy, doesn’t provide compensation, he’s within his right to archive it and move on. And people in the community can fork it if they need to.
After the sshd debacle, and in the context of GenAI becoming ever better at impersonation at scale, I don't think anyone working on a security-relevant project should simply hand off to an enthusiastic community member they don't know well.
Do you remember when Raymond Hill ceded control of uBlock to another guy? This new guy started asking for donations (for himself) and then sold the project to AdBlock.
That was truly disgusting.
That’s what prompted Raymond to create uBlock Origin.
They learned a good lesson from the liblzma situation.