From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 612CC158083 for ; Fri, 13 Sep 2024 10:22:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 85521E29D6; Fri, 13 Sep 2024 10:22:53 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4E1AFE29CF for ; Fri, 13 Sep 2024 10:22:53 +0000 (UTC) Received: by stitch (Postfix, from userid 1000) id 8E69CCB393; Fri, 13 Sep 2024 06:22:51 -0400 (EDT) Date: Fri, 13 Sep 2024 06:22:51 -0400 From: Michael Orlitzky To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: Last rites EAPI=6 packages: dev-php/* Message-ID: References: <5babde00-594b-42d6-aeec-9c2398e30a7f@uls.co.za> <46dc3021-6f24-4110-8304-fa5f62d2fa44@uls.co.za> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <46dc3021-6f24-4110-8304-fa5f62d2fa44@uls.co.za> X-Archives-Salt: 39e2caeb-3548-4170-a255-b9510d685a9f X-Archives-Hash: 47151530c3c032dd434df4afcd7a58ca On 2024-09-11 17:23:16, Jaco Kroon wrote: > 1.  Let users (myself included) just download and use that. > 2.  We package the phar file rather than the individual deps. Yes, this > is cheating.  Like using embedded libs, however, I've seen and observed > that in some cases this makes more sense than splitting them up (eg > clippy and frr). > 3.  We go about figuring everything out again and bumping all those > individual packages and keeping them all up to date individually.  I > don't think this is worth our time and effort. > > I honestly think in this case 2 may well be acceptable. Otherwise 1, but > I think 3 is not worth the effort based on your feedback and further > reading from when I originally posed the question to now. I agree that (3) is probably too much trouble. It might be worth it if someday people want to bring back other packages that would benefit from the deps, like PHPUnit. I don't like (2) because there's no way for the security team to know what's inside composer.phar, and no way for users to tell that they've got ~15 bundled dependencies in a tool that's extremely sensitive. So... what I've been doing is putting composer.phar in /usr/local/bin. (I also run it as a separate user because I don't trust the code it's downloading but that has nothing to do with Gentoo.)