On 2024-09-11 17:23:16, Jaco Kroon wrote: > 1. Let users (myself included) just download and use that. > 2. We package the phar file rather than the individual deps. Yes, this > is cheating. Like using embedded libs, however, I've seen and observed > that in some cases this makes more sense than splitting them up (eg > clippy and frr). > 3. We go about figuring everything out again and bumping all those > individual packages and keeping them all up to date individually. I > don't think this is worth our time and effort. > > I honestly think in this case 2 may well be acceptable. Otherwise 1, but > I think 3 is not worth the effort based on your feedback and further > reading from when I originally posed the question to now.
I agree that (3) is probably too much trouble. It might be worth it if someday people want to bring back other packages that would benefit from the deps, like PHPUnit. I don't like (2) because there's no way for the security team to know what's inside composer.phar, and no way for users to tell that they've got ~15 bundled dependencies in a tool that's extremely sensitive. So... what I've been doing is putting composer.phar in /usr/local/bin. (I also run it as a separate user because I don't trust the code it's downloading but that has nothing to do with Gentoo.)
