On Tue, Jun 3, 2014 at 2:07 AM, Bryan Davis bd808@wikimedia.org wrote:
I have converted my email on using composer to manage a set of library dependencies for MediaWiki-Core [0] into an RFC [1]. Work is continuing on the implementation of this project, but there are still debatable implementation details and the RFC process is meant to not only validate ideas but leave behind a record of the design decisions that have been made and trade offs that were considered in the process.
In particular, the current draft RFC omits discussion of the concept of library "ownership" for long term updates and security fixes and could use more detail around the process of forking, patching and subsequently maintaining a external library. I will attempt to fill in some of these details as I see them over the next day or so, but now would be a great time for people with strong ideas or opinions on these aspects to comment on the talk page.
Thanks in no small part to a reminder from Sumana, I have updated the RFC for "Composer managed libraries for use on WMF cluster". Much of the initial work required for this RFC has now been implemented:
* The mediawiki/core/vendor.git gerrit repository has been created. * make-wmf-branch has been updated to branch mediawiki/core/vendor and add it as a submodule on new 1.XwmfY branches. * The beta cluster is tracking the current HEAD of mediawiki/core/vendor's master branch. * The PSR-3 logging interface and Monolog libraries have been added to mediawiki/core/vendor via gerrit commits. * Work is progressing to configure Jenkins/Zuul to checkout mediawiki/core/vendor during test runs.
I would appreciate feedback on the RFC. In particular I would like to see discussion on how we should manage tracking upstream vulnerabilities and security patches for deployed libraries. How should we assign "ownership" of maintaining a particular library and what techniques can we use to ensure that vulnerabilities are patched in a timely and responsible manner?
Bryan