-
-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Propose list of components to move to security-only maintenance #31
Propose list of components to move to security-only maintenance #31
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not quite sure how you brainstormed this list, but I found a ton of cases where I know we have active development and/or I know the components are widely used and should likely get updates as new PHP versions are released.
We can either incorporate my comments into the agenda, or use them to remove items from the list in order to reduce how many we need to discuss during the meeting.
Proposal: these components should (probably) be clearly labeled so that maintainers know that only security | ||
issues are to be fixed, if they occur. | ||
|
||
* laminas-db |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mention this one twice (it's also the last entry on the list). And there's actually some projects/milestones that have been proposed around it, with @samsonasik taking some steps in the past week towards them.
I hesitate both to keep it, as well as to get rid of it. If we go forward with some of the proposed changes, which include extracting adapters to their own packages, we might be able to consider removing adapters we do not have the bandwidth/expertise to test, winnowing them down to perhaps only the most popular/useful (e.g., sqlite, mysql, postgres), and leaving others to provide adapters for other platforms.
issues are to be fixed, if they occur. | ||
|
||
* laminas-db | ||
* laminas-developer-tools |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one is in active mode, having received features both immediately prior to the migration, and immediately after.
* laminas-db | ||
* laminas-developer-tools | ||
* laminas/laminas-oauth | ||
* laminas/laminas-xml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a security component. While it's unlikely to have additional features, it's not impossible, particularly if new XML-based security vectors are discovered.
* laminas-developer-tools | ||
* laminas/laminas-oauth | ||
* laminas/laminas-xml | ||
* laminas/laminas-composer-autoloading |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is likely going to be updated to consume laminas-cli, and be used by other tooling to add/remove modules and/or source directories to applications.
* laminas/laminas-oauth | ||
* laminas/laminas-xml | ||
* laminas/laminas-composer-autoloading | ||
* laminas/laminas-auradi-config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This exists to allow using Aura.DI with Mezzio, and has had bugfixes related to new versions of Aura.DI already this year.
* laminas/laminas-xml2json | ||
* laminas/laminas-soap | ||
* laminas/laminas-paginator | ||
* laminas/laminas-navigation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lot of users of this one as well, though nobody really actively maintaining it - though @froschdesign has done some work to create a compatibility layer for Mezzio (but it has never been merged). Again, not sure if we should call it "security-only".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Support for Mezzio is on the way and I have a prototype for the third version!
* laminas/laminas-serializer | ||
* laminas/laminas-tag | ||
* laminas/laminas-text | ||
* laminas/laminas-twitter |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one is actively developed (I've done features for this in the past year, and there's a few more I'm planning, primarily to support the bot.)
* laminas/laminas-twitter | ||
* laminas/laminas-uri | ||
* laminas/laminas-mail | ||
* laminas/laminas-file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Laminas\File\Transfer
subcomponent in here provides features consumed by laminas-inputfilter for handling file uploads.
* laminas/laminas-uri | ||
* laminas/laminas-mail | ||
* laminas/laminas-file | ||
* laminas/laminas-di |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is actively developed, and the maintainer has been doing an excellent job of providing features. (In fact, he's even provided ways to integrate with laminas-servicemanager, and provides AoT compilation.) This is something I'd like to see as part of our tutorials, actually.
* laminas/laminas-mail | ||
* laminas/laminas-file | ||
* laminas/laminas-di | ||
* laminas/laminas-skeleton-installer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a Composer plugin used by all of our skeletons in order to prompt for optional packages. In point of fact, it will be getting updates soon so that it remains compatible with Composer v2.
I wanted to make a few comments here as I was the instigator of this discussion and @Ocramius kindly documented it. What we are not saying here is "these components are deprecated" but more this is a statement of intent to say "we're not focusing on these components currently". I would love to use Barcode as an example here, because for me it's unmaintainable without the original author Ben being around. Look at the code; would you be happy maintaining this? https://github.com/laminas/laminas-barcode/blob/master/src/Renderer/Pdf.php#L107 I know this is a surprise to a lot of people and immediate reaction is "this is a good component!!!!1111" but we're proposing discussion around the question "do we have the resource to be actively maintaining this component currently?" - not forever more, but currently. Personally, I'd prefer to see a committed team working on components that offer quality modern PHP libraries for developers. Supporting something like the Log component when there's a defacto standard in PHP now feels like wasted energy to me. We're not saying "WE SHOULD DEPRECATE ALL THESE PACKAGES" but "we should have conversation around all these packages" which is already happening. So good. |
Closing, as it has been voted and decided. See: https://github.com/laminas/technical-steering-committee/blob/main/meetings/minutes/2020-08-03-TSC-Minutes.md#vote-on-components-to-mark-as-security-only |
No description provided.