Flutter, a cross platform framework allowing you to deliver apps for all kinds of platforms like iOS, iPadOS, Android, Windows, macOS and Linux from one source is amazing. With packages like platform_widgets it is even possible to meet the user expectations on any platform. However. having worked with Flutter for more than two years, I’ve found something that bothers me: maintenance of Flutter packages on pub.dev.
The project I ran into that issue was the development of an authenticaor handling some proprietary cryptography and protocol. Whereas the “proprietary” cryptography was EC cryptography based on specific elliptic curves, the Brainpool curves favoured by the BSI, which acronym doesn’t play out in English (it is the german office for information security in Germany). It doesn’t matter that much for the purpose of this article, as my enhancements included general EC signature and encryption as well (with any curve, e.g. I implemented the JWT encryption standard ECDH-ES), so let’s just say that support of those curves were important to the project. Which weren’t a problem until I reached out to the supporter of the dependencies I was enhancing.
The package in mind is “jose” which itself is based on two other packages maintained by the same author, named “x509” and “crypto”, and “pointycastle” which is a reimplementation of the famous “BouncyCastle” JCA implementation for Java.
“jose” is supposed to be an implementationn of JWT creation, encryption and signing and is capable of doing that — as long as you aren’t asking for something special. Like EC encryption or signature. Which wasn’t supported in that package until I wrote an enhancement. Which included modifications and/or additions to several packages, from “Pointycastle” up to “jose”. I needed to fork several repositories to apply those changes but that is not the problem.
The problem is, that the “pointycastle” maintainers accepted my pull request for the additions I made, as I was demanding it for the purpose to update “jose”. But the “jose” maintainer (who happens to be the maintainer of the base packages “x509” and “crypto” as well) did not act so far (which is about to becoming a year-crossing issue). Even small preliminary pull requests to correct some minor errors are not pulled in. Recently I witnessed that another forker of the relevant packages pulled my changes in, as they fixed bugs, which were still unrecognized by the original maintainer.
What is even more annoying: I contacted the maintainer two times by e-mail asking him if he or she still wants to maintain those packages. Two times I got the answer “Yes”, however, this guy or girl hasn’t accepted any pull requests for years now. He or She is obviously busy with other things.
So the question is: how does Flutter/Dart and the people behind it handle maintainers of packages who are no longer operational. I do not expect people publishing anything to OS to be there forever. But I do expect them to say that they won’t be around any longer when they are asked. As of date I have absolutely no clue where to turn to to have my “jose” (and dependants) enhancement published. I would take the task of maintainership of those packages. But there is no mechanism to do that.