From: Jaco Kroon <jaco@uls.co.za>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Re: Last rites EAPI=6 packages: dev-php/*
Date: Fri, 13 Sep 2024 13:53:33 +0200 [thread overview]
Message-ID: <6c6e2a19-54b8-4289-b62b-37597cfed624@uls.co.za> (raw)
In-Reply-To: <ZuQSe7fpn8DMdw4n@stitch>
Hi,
On 2024/09/13 12:22, Michael Orlitzky wrote:
> On 2024-09-11 17:23:16, Jaco Kroon wrote:
>> 1. Let users (myself included) just download and use that.
>> 2. We package the phar file rather than the individual deps. Yes, this
>> is cheating. Like using embedded libs, however, I've seen and observed
>> that in some cases this makes more sense than splitting them up (eg
>> clippy and frr).
>> 3. We go about figuring everything out again and bumping all those
>> individual packages and keeping them all up to date individually. I
>> don't think this is worth our time and effort.
>>
>> I honestly think in this case 2 may well be acceptable. Otherwise 1, but
>> I think 3 is not worth the effort based on your feedback and further
>> reading from when I originally posed the question to now.
> I agree that (3) is probably too much trouble. It might be worth it if
> someday people want to bring back other packages that would benefit
> from the deps, like PHPUnit.
>
> I don't like (2) because there's no way for the security team to know
> what's inside composer.phar, and no way for users to tell that they've
> got ~15 bundled dependencies in a tool that's extremely
> sensitive. So... what I've been doing is putting composer.phar in
> /usr/local/bin. (I also run it as a separate user because I don't
> trust the code it's downloading but that has nothing to do with
> Gentoo.)
>
I think, then let's stick with that.
I'm not able to edit https://wiki.gentoo.org/wiki/Composer_packaging in
order to make reference of this dicussion there so others looking at it
will understand what the motivation is. In the meantime I'm sorted at
least.
Thanks for the constructive discussion.
Kind regards,
Jaco
next prev parent reply other threads:[~2024-09-13 11:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-21 17:20 [gentoo-dev] Last rites EAPI=6 packages: dev-php/* Arthur Zamarin
2024-09-11 7:33 ` [gentoo-dev] " Jaco Kroon
2024-09-11 11:26 ` Michael Orlitzky
2024-09-11 15:23 ` Jaco Kroon
2024-09-13 10:22 ` Michael Orlitzky
2024-09-13 11:53 ` Jaco Kroon [this message]
2024-09-13 1:46 ` Duncan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6c6e2a19-54b8-4289-b62b-37597cfed624@uls.co.za \
--to=jaco@uls.co.za \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox