On Thu, May 29, 2014 at 11:27 AM, Bryan Davis bd808@wikimedia.org wrote:
My logging changes [0][1][2][3] are getting closer to being mergeable (the first has already been merged). Tony Thomas' Swift Mailer change [4] is also progressing. Both sets of changes introduce the concept of specifying external library dependencies, both required and suggested, to mediawiki/core.git via composer.json. Composer can be used by people directly consuming the git repository to install and manage these dependencies. I gave a example set of usage instructions in the commit message for my patch that introduced the dependency on PSR-3 [0]. In the production cluster, on Jenkins job runners and in the tarball releases we will want a different solution.
My idea of how to deal with this is to create a new gerrit repository (mediawiki/core/vendor.git?) that contains a composer.json file similar to the one I had in patch set 7 of my first logging patch [5]. This composer.json file would be used to tell Composer the exact versions of libraries to download. Someone would manually run Composer in a checkout of this repository and then commit the downloaded content, composer.lock file and generated autoloader.php to the repository for review. We would then be able to branch and use this repository as git submodule in the wmf/1.2XwmfY branches that are deployed to production and ensure that it is checked out along with mw-core on the Jenkins nodes. By placing this submodule at $IP/vendor in mw-core we would be mimicking the configuration that direct users of Composer will experience. WebStart.php already includes $IP/vendor/autoload.php when present so integration with the rest of wm-core should follow from that.
The proposed repository has been created [0] and has an initial set of proposed additions pending review [1].
There is still some ongoing internal discussion about the best way to verify that included libraries are needed and that security patches are watched for and applied from upstream. Chris Steipp is awesome, but it would be quite an additional burden to hang these thousands of new lines of code around his neck as yet another burden to bear. One current theory is that need should be determined by the RFC process and security support would need to be provided by a "sponsor" of the library.
[0]: https://gerrit.wikimedia.org/r/#/admin/projects/mediawiki/core/vendor [1]: https://gerrit.wikimedia.org/r/#/projects/mediawiki/core/vendor,dashboards/d...
Bryan