2016-09-09 10:39 GMT+02:00 Lester Caine <les...@lsces.co.uk>: > Having slept on the discussion about people today expecting users each > to have their own environment, I came to the something of an impasse. > How many Linux installations run a package manager that allows > individual users to install their own versions of > Apache/PHP/Database/Git/Hg and so on.
Package managers using the central repositories usually don't allow this. But it's only possible because the distribution team carefully watches that the packages in the repository are compatible. The same might not be true for two different PHP apps deployed on the same server. They could have conflicting dependency version constraints. It's not possible in PHP to load two different versions of a class at a time. > The whole point being that the > machine has a consistent framework that everybody knows. That's exactly what Composer provides: A consistent state that pins dependencies to commits. Everyone will get the same environment, even on other machines. > Even adding > extensions to PHP they will be added to the single version, which is why > I expect extensions like 'composer' to be installed centrally so when I > run it I know it's the same version that every other tech is using. > Composer isn't an extension. It's pure userland code. But you can and often it is indeed installed globally, e.g. in /usr/local/bin/composer. If you use Ubuntu, there it's even included in the main repositories since 16.04: sudo apt-get install composer. But note: We're talking about installing the package manager globally here, not the dependencies per project. Dependencies per project should be installed per project and not globally. > Now I have no problem with each user pulling their own clone of the code > via Git or Hg and creating their own 'play area' to check out bugs and > there is nothing to stop them running multiple copies of the PHP code > against the central web services. They are testing in parallel with the > live code in an identical environment. But obviously it would be safer > to have a second mirror machine installed with the same version of > distribution on which to test, and in an ideal world one would update > the development machine, run all the test and ensure there are no > problems before allowing the production machine to roll over. I did say > ideal ;) Most sites will skip whole major versions of updates simply > becuase their production system IS working ... > Which is usually fine as long as the old major still receives support in form of security updates. If the old major is no longer maintained, you should switch, otherwise you risk being exposed to known security vulnerabilities. But not upgrading doesn't have anything to do with HOW the dependencies are managed. Except that it's pretty easy to consume semver updates with Composer. > Back to PEAR ... what happens if I simply install a copy of composer > centrally and rename it 'PEAR'. Why rename it to PEAR? It's a different tool. Just call it Composer as it's named. > composer.phar simply gets installed > centrally and any new tech has access without having to install their > own copy. That's entirely fine as said. New tech should still install their own version of the repository and install the dependencies there. Regards, Niklas > As with Git/Hg users can have their own play areas USING > composer, but to be honest from a safety point of view one knows that > the version of composer being run has not been infected with some > injection mechanism. We keep going on about validating the PHP code > against malicious attack, but the whole framework is open to that? > > -- > Lester Caine - G8HFL > ----------------------------- > Contact - http://lsces.co.uk/wiki/?page=contact > L.S.Caine Electronic Services - http://lsces.co.uk > EnquirySolve - http://enquirysolve.com/ > Model Engineers Digital Workshop - http://medw.co.uk > Rainbow Digital Media - http://rainbowdigitalmedia.co.uk > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
