Mark security-only packages as Abandoned in packagist.org

[Slamdunk]

Hi everybody, today we were trying to update our dependencies to psr/log:v3, but laminas-log conflicted because it only supports v1.
Ok, then I went to open a PR to extend its compatibility, but laminas/laminas-log#50 was already there.
I had to read all the comments, and then the README.md, and then 2020-08-03-TSC-Minutes.md to find out it's marked as security-only.

I would like to ask you to mark all the laminas packages currently voted as security-only as Abandoned in https://packagist.org/packages/laminas/: this aims to spread awareness of their status thanks to the built-in functionality of composer to pop yellow warnings for abadoned packages.

I am aware that, semantically, they are not really abandoned, but I think for the end user it's better than not having it marked so.

[froschdesign]

@Slamdunk

…this aims to spread awareness of their status thanks to the built-in functionality of composer to pop yellow warnings for abadoned packages.

And here we will generate a lot of requests and issue reports, because laminas-http is in security-only maintenance mode and laminas-mvc is using it.
Therefore, the step should be well-considered, even though I can understand the background of your request/idea.

[heiglandreas]

This is trying to monkeypatch a situation that is not caused on our side by activism on our side.

The only clean solution to this issue would be to mark the library as "security-only" on packagist.

OTOH: What is exactly the issue? That people are not seeing fast enough that laminas-log is only supporting psr/logv1? That people are asking why it's only supporting v1? What people should do to solve their issue?

In all three cases adding a more prominent warning plus a label security-fixes-only might help people to see much faster what the issue is.

As we have that (kind of) in control we can much easier provide a better solution than marking the issue as "abandoned" on packagist.

Perhaps we should move the "Security only maintenance mode" message above the "To people from Russia" message. As important as that is: The maintenance message addresses more people and currently isn't visible right away when people visit the repo...

[froschdesign]

Perhaps we should move the "Security only maintenance mode" message above the "To people from Russia" message.

👍🏻

And often the headline is missing:

• https://github.com/laminas/laminas-log#security-only-maintenance-mode
• https://github.com/laminas/laminas-http#readme

[Slamdunk]

And here we will generate a lot of requests and issue reports, because laminas-http is in security-only maintenance mode and laminas-mvc is using it.

That would be good indeed, actively maintained packages should rely only on other actively maintained packages

In all three cases adding a more prominent warning plus a label security-fixes-only might help people to see much faster what the issue is.

I disagree: do you read every day the homepage of every package you use? I don't, but I read daily the composer update output.

Perhaps we should move the "Security only maintenance mode" message above the "To people from Russia" message.

I understand the questions and concerns you raised, but this would have helped me no better than what it already did.

The more I think about this, the more security-fixes-only and abandoned are synonym to me.

[froschdesign]

@Slamdunk

That would be good indeed, actively maintained packages should rely only on other actively maintained packages

You may be right, but this creates frustration for the user and ends in countless requests, as the past shows. So that can't be the solution because we can't get laminas-mvc package changed over so quickly. A simple option would be to set the laminas-http to active again. (This is only one example.)

[boesing]

security only just marks a package feature complete. regarding laminas-log, I really would encourage users to use monolog instead.

Other packages, such as laminas-http, will and can support newer php versions and are therefor still security-only which includes php upgrades imho.