On Thu, May 29, 2014 at 11:27 AM, Bryan Davis <bd808(a)wikimedia.org> wrote:
My logging changes [0][1][2][3] are getting closer to
being mergeable
(the first has already been merged). Tony Thomas' Swift Mailer change
[4] is also progressing. Both sets of changes introduce the concept of
specifying external library dependencies, both required and suggested,
to mediawiki/core.git via composer.json. Composer can be used by
people directly consuming the git repository to install and manage
these dependencies. I gave a example set of usage instructions in the
commit message for my patch that introduced the dependency on PSR-3
[0]. In the production cluster, on Jenkins job runners and in the
tarball releases we will want a different solution.
My idea of how to deal with this is to create a new gerrit repository
(mediawiki/core/vendor.git?) that contains a composer.json file
similar to the one I had in patch set 7 of my first logging patch [5].
This composer.json file would be used to tell Composer the exact
versions of libraries to download. Someone would manually run Composer
in a checkout of this repository and then commit the downloaded
content, composer.lock file and generated autoloader.php to the
repository for review. We would then be able to branch and use this
repository as git submodule in the wmf/1.2XwmfY branches that are
deployed to production and ensure that it is checked out along with
mw-core on the Jenkins nodes. By placing this submodule at $IP/vendor
in mw-core we would be mimicking the configuration that direct users
of Composer will experience. WebStart.php already includes
$IP/vendor/autoload.php when present so integration with the rest of
wm-core should follow from that.
The proposed repository has been created [0] and has an initial set of
proposed additions pending review [1].
There is still some ongoing internal discussion about the best way to
verify that included libraries are needed and that security patches
are watched for and applied from upstream. Chris Steipp is awesome,
but it would be quite an additional burden to hang these thousands of
new lines of code around his neck as yet another burden to bear. One
current theory is that need should be determined by the RFC process
and security support would need to be provided by a "sponsor" of the
library.
[0]:
https://gerrit.wikimedia.org/r/#/admin/projects/mediawiki/core/vendor
[1]:
https://gerrit.wikimedia.org/r/#/projects/mediawiki/core/vendor,dashboards/…
Bryan
--
Bryan Davis Wikimedia Foundation <bd808(a)wikimedia.org>
[[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA
irc: bd808 v:415.839.6885 x6855