Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Propose list of components to move to security-only maintenance #31

Closed

Conversation

Ocramius
Copy link
Member

No description provided.

@Ocramius Ocramius added Feature Removal Question Further information is requested labels Jun 18, 2020
Copy link
Member

@weierophinney weierophinney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not quite sure how you brainstormed this list, but I found a ton of cases where I know we have active development and/or I know the components are widely used and should likely get updates as new PHP versions are released.

We can either incorporate my comments into the agenda, or use them to remove items from the list in order to reduce how many we need to discuss during the meeting.

Proposal: these components should (probably) be clearly labeled so that maintainers know that only security
issues are to be fixed, if they occur.

* laminas-db
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mention this one twice (it's also the last entry on the list). And there's actually some projects/milestones that have been proposed around it, with @samsonasik taking some steps in the past week towards them.

I hesitate both to keep it, as well as to get rid of it. If we go forward with some of the proposed changes, which include extracting adapters to their own packages, we might be able to consider removing adapters we do not have the bandwidth/expertise to test, winnowing them down to perhaps only the most popular/useful (e.g., sqlite, mysql, postgres), and leaving others to provide adapters for other platforms.

issues are to be fixed, if they occur.

* laminas-db
* laminas-developer-tools
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is in active mode, having received features both immediately prior to the migration, and immediately after.

* laminas-db
* laminas-developer-tools
* laminas/laminas-oauth
* laminas/laminas-xml
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a security component. While it's unlikely to have additional features, it's not impossible, particularly if new XML-based security vectors are discovered.

* laminas-developer-tools
* laminas/laminas-oauth
* laminas/laminas-xml
* laminas/laminas-composer-autoloading
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is likely going to be updated to consume laminas-cli, and be used by other tooling to add/remove modules and/or source directories to applications.

* laminas/laminas-oauth
* laminas/laminas-xml
* laminas/laminas-composer-autoloading
* laminas/laminas-auradi-config
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This exists to allow using Aura.DI with Mezzio, and has had bugfixes related to new versions of Aura.DI already this year.

* laminas/laminas-xml2json
* laminas/laminas-soap
* laminas/laminas-paginator
* laminas/laminas-navigation
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lot of users of this one as well, though nobody really actively maintaining it - though @froschdesign has done some work to create a compatibility layer for Mezzio (but it has never been merged). Again, not sure if we should call it "security-only".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Support for Mezzio is on the way and I have a prototype for the third version!

* laminas/laminas-serializer
* laminas/laminas-tag
* laminas/laminas-text
* laminas/laminas-twitter
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is actively developed (I've done features for this in the past year, and there's a few more I'm planning, primarily to support the bot.)

* laminas/laminas-twitter
* laminas/laminas-uri
* laminas/laminas-mail
* laminas/laminas-file
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Laminas\File\Transfer subcomponent in here provides features consumed by laminas-inputfilter for handling file uploads.

* laminas/laminas-uri
* laminas/laminas-mail
* laminas/laminas-file
* laminas/laminas-di
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actively developed, and the maintainer has been doing an excellent job of providing features. (In fact, he's even provided ways to integrate with laminas-servicemanager, and provides AoT compilation.) This is something I'd like to see as part of our tutorials, actually.

* laminas/laminas-mail
* laminas/laminas-file
* laminas/laminas-di
* laminas/laminas-skeleton-installer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a Composer plugin used by all of our skeletons in order to prompt for optional packages. In point of fact, it will be getting updates soon so that it remains compatible with Composer v2.

@GeeH
Copy link

GeeH commented Jun 19, 2020

I wanted to make a few comments here as I was the instigator of this discussion and @Ocramius kindly documented it.

What we are not saying here is "these components are deprecated" but more this is a statement of intent to say "we're not focusing on these components currently". I would love to use Barcode as an example here, because for me it's unmaintainable without the original author Ben being around. Look at the code; would you be happy maintaining this?

https://github.com/laminas/laminas-barcode/blob/master/src/Renderer/Pdf.php#L107

I know this is a surprise to a lot of people and immediate reaction is "this is a good component!!!!1111" but we're proposing discussion around the question "do we have the resource to be actively maintaining this component currently?" - not forever more, but currently.

Personally, I'd prefer to see a committed team working on components that offer quality modern PHP libraries for developers. Supporting something like the Log component when there's a defacto standard in PHP now feels like wasted energy to me.

We're not saying "WE SHOULD DEPRECATE ALL THESE PACKAGES" but "we should have conversation around all these packages" which is already happening. So good.

@weierophinney weierophinney changed the base branch from master to main August 5, 2020 15:42
@michalbundyra
Copy link
Member

@michalbundyra michalbundyra deleted the propose-security-only-status-for-numerous-components branch August 8, 2020 10:53
@laminas laminas locked and limited conversation to collaborators Oct 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Feature Removal Question Further information is requested
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants