Hi,
On 2024/09/13 12:22, Michael Orlitzky wrote:
On 2024-09-11 17:23:16, Jaco Kroon wrote:
1. Let users (myself included) just download and use that.
2. We package the phar file rather than the individual deps. Yes, this
is cheating. Like using embedded libs, however, I've seen and observed
that in some cases this makes more sense than splitting them up (eg
clippy and frr).
3. We go about figuring everything out again and bumping all those
individual packages and keeping them all up to date individually. I
don't think this is worth our time and effort.
I honestly think in this case 2 may well be acceptable. Otherwise 1, but
I think 3 is not worth the effort based on your feedback and further
reading from when I originally posed the question to now.
I agree that (3) is probably too much trouble. It might be worth it if
someday people want to bring back other packages that would benefit
from the deps, like PHPUnit.
I don't like (2) because there's no way for the security team to know
what's inside composer.phar, and no way for users to tell that they've
got ~15 bundled dependencies in a tool that's extremely
sensitive. So... what I've been doing is putting composer.phar in
/usr/local/bin. (I also run it as a separate user because I don't
trust the code it's downloading but that has nothing to do with
Gentoo.)
I think, then let's stick with that.
I'm not able to edit https://wiki.gentoo.org/wiki/Composer_packaging in
order to make reference of this dicussion there so others looking at it
will understand what the motivation is. In the meantime I'm sorted at
least.
Thanks for the constructive discussion.
Kind regards,
Jaco
