Plan for TFA 7.x-2.2 release

What documentation is necessary? I think the documentation available in-line in the module is actually quite good.

Is 2327995 really a release blocker? It seems like a bug, but not absolutely necessary to get done, right?

How about we focus this on one single release, i.e. 2.0?

The two remaining issues would be very nice to have, but I don't think they merit holding back a 7.x-2.0 release.

As discussed over at #2482851: Policy on resetting accounts after TFA is enabled. , IMO allowing multiple TFA registrations per account may be part of the solution to facilitate self-serving disabling of TFA. See the related issues.

Thanks for the feedback Leeteq - do you see these related issues as necessary items to fix prior to a 7.x-2.0?

@greggles: if confirmed also by others than me, then definitely the first one. The latter I find to be an important feature, (especially in context with #2482851: Policy on resetting accounts after TFA is enabled. ) , but perhaps not exactly a 2.0 release blocker, although "close" IMHO. I have adjusted the issue summary accordingly. (PS. if #2537392: Security tab empty after successful TFA registration, and the TFA verification page lacks the recovery button can NOT be reproduced by others, then just close it as such)

If #2564813: UI feedback ("Login disallowed") can disappear gets commited I don't think #2507409: Immediately logged out when using password reset form sohuld be considered a stable blocker.

It seems to me like none of these are blockers.

I crosslinked a few items which are RTBC, it'd be good to get them in too.

Is this going to happen sometime?

In the cross-linked issues which seem like they are the really critical items?

The 2 issues that seem most critical to me are the mcrypt and drush issue. More testing/review of those would be great.

The destination issue seems like a good bug fix, but it has a lot of changes to important variables. I don't have the time/motivation to give that the real review it would need. If someone else can give an in-depth review of it from a security perspective that would be great (#2687021: TFA redirects to 404 if ?destination includes query parameters).

There's an RC for the 2.1 release at https://www.drupal.org/project/tfa/releases/7.x-2.1-rc1

It includes several important fixes. Please help test and review those changes to confirm they are good. We could release a final 7.x-2.1 in 2 weeks or so if no new bugs are found in this rc1.

Functionality works.

(
Issues/observations logged.
- https://www.drupal.org/project/tfa/issues/3168348
- https://www.drupal.org/project/tfa_basic/issues/2916011#comment-13807214
)

@edvanleeuwen: Please open a new issue for the tfa_logout() problem, and a separate one for the TFA Basic module as it needs to be updated to use OpenSSL instead of mcrypt.

Yes, ideally those should be new issues since this is a release plan issue. Item #2 seems like a release blocker for this module.

#2 is not a release blocker. Not sure when those warnings appear, but if people do have the mcrypt extension installed, the module will use it. It's very likely that whoever installs mcrypt for PHP 7.2+ should not see those messages anymore. Hopefully they only occur in PHP 7.0-7.1.

PHP version used when the errors appeared: 7.3(.21).

Funny that. The PECL source code for the extension doesn't have any deprecation code, can it be Frankenstein'ed version of PHP 7.3 that still contains the mcrypt code instead of using the PECL extension?

Could you please help me how to tell, @jcnventura?
I have installed it using the php-extension script here https://help.poralix.com/articles/install-pecl-extension-for-php-directa...

Extension resides in
/usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/mcrypt.so

Easiest is probably this strings /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/mcrypt.so | grep -i deprecated

Ok, this gives:
mcrypt and mdecrypt stream filters have been deprecated

Removed the mcrypt library (php-extension.sh remove mcrypt). Recompiled php. No more errors.

Let's be honest about the fact that this plan won't apply to the 7.x-2.1 release, which will mostly be about #2820710: Mcrypt is required, but it is deprecated in PHP 7.1+.

Let's be even more honest, and admit there's actually no plan anymore. Whatever gets RTBCd by enough people may get committed, and after some time if something warrants a release, that will happen.