Quantcast

[aerogear-dev] SimplePush: are we done with it ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[aerogear-dev] SimplePush: are we done with it ?

Matthias Wessendorf
Hi,

I wonder if we should call it a day on our SimplePush efforts?

We had a 0.12.1 release in November 2014:

and the latest commit to the source code was in February 2015:


We do have some open JIRAs for a potential 0.13 release, as well as some future tickets:


Now, that there is a follow up standard on this, WebPush, and we have a more active community around that, and a Google Summer of Code student, I do see this being much more interesting than SimplePush, moving forward. 

I think our friends at Mozilla are also seeing much more value in focusing on WebPush. I guess it's a bit different there as they have SimplePush in production.


Now... what we could do it, get a last release out and instead '0.13'call it 1.0.0, and put a note to the Github repository that this is the last release and we stop maintaining this stuff.

Or do some really feel they want to actively continue the SimplePush server ?

I think it was a good research project and I am happy we got some momentum around it, but I believe the future is WebPush instead of SimplePush

Feedback is more than welcome!

Matthias


--

_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
jr
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [aerogear-dev] SimplePush: are we done with it ?

jr
Well, Mozilla is indeed focusing more on WebPush rather than Simplepush. There are only a few products that use SimplePush at the moment, and frankly, the feature set for WebPush makes it far more interesting.

If I may, I'd suggest focusing on areas we've seen folks struggle with, including:

1) Data encryption -
    Not terribly surprising, but folks have problems getting ECDH encryption and header
    publication right. I can only presume that folks that have problems with this lead rich,
    full lives surrounded by friends and loved ones and for some inexplicable reason, don't
    enjoy delving into frustrating bouts of brain melting math.
    Giving these poor souls a way to easily bundle up data that endpoints can decrypt so they
    can continue their care-free lives of joy might be useful.

2) Subscriber management -
    Somewhat in hand with the previous point, dealing with subscribers using WebPush is
    a fair bit more complicated than it would first seem. Subscribers can have multiple endpoints
    that may shift, or simply disappear in a puff of 410 smoke. Plus, there's the encryption keys
    that need to persist and be safe-guarded from compromise, and all the fun that goes with
    that.

3) VAPID -
    Mozilla currently uses VAPID to allow subscription providers a way to voluntarily provide
    info about themselves. The process involves a bit more brain-tweaking ECDH crypto, and there
    are some considerations that might escape the casual user (Keep your VAPID key separate from
    your publication keys; Keep your private VAPID key private; Resubscribe your customers on key
    rotations; etc.)
    VAPID is strongly favored for how subscriptions updates would be authorized for other service
    providers.

So, yeah, full plate. More than enough to scrape SimplePush off to make room, and the nice bonus is that the new stuff isn't just for one provider, and will make your library that much more attractive.

I've got a few resources to help folks get going on this:
1) https://mozilla-services.github.io/WebPushDataTestPage/ - The WebPush Data Test Page, which is a stand alone page that encrypts a data block and shows you as much as possible for key auditing. I recommend opening the Browser Console, since I'm a bit verbose. That page includes VAPID header support, but if you just wanted to see that bit:

2) http://mozilla-services.github.io/vapid/js/ - VAPID test page, which again is stand alone and can encode and decode VAPID header claims. The root currently has javascript and python libs, and is accepting PRs for other languages (hint, hint). https://github.com/mozilla-services/vapid/

I'm also working on a document that (hopefully) lays out the various steps and considerations for App Servers / subscription providers.

Does that make sense to y'all?
Thanks!

On 5/24/2016 11:45 PM, Matthias Wessendorf wrote:
Hi,

I wonder if we should call it a day on our SimplePush efforts?

We had a 0.12.1 release in November 2014:

and the latest commit to the source code was in February 2015:


We do have some open JIRAs for a potential 0.13 release, as well as some future tickets:


Now, that there is a follow up standard on this, WebPush, and we have a more active community around that, and a Google Summer of Code student, I do see this being much more interesting than SimplePush, moving forward. 

I think our friends at Mozilla are also seeing much more value in focusing on WebPush. I guess it's a bit different there as they have SimplePush in production.


Now... what we could do it, get a last release out and instead '0.13'call it 1.0.0, and put a note to the Github repository that this is the last release and we stop maintaining this stuff.

Or do some really feel they want to actively continue the SimplePush server ?

I think it was a good research project and I am happy we got some momentum around it, but I believe the future is WebPush instead of SimplePush

Feedback is more than welcome!

Matthias


--



_______________________________________________
aerogear-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-dev
Loading...