Hey all,
I just noticed that MediaWiki specifies specific versions of the libraries it uses in its composer.json: https://github.com/wikimedia/mediawiki/blob/ca56f1fbc32529622cf430fe2ed44347...
To me this is somewhat surprising and not something I've seen often. Why are bugfix releases excluded from the version ranges? And is it really a good idea considering it causes the users of the latest stable MediaWiki release to download outdated versions of various libraries? https://github.com/wikimedia/mediawiki/blob/REL1_25/composer.json#L19-L29
Cheers
-- Jeroen De Dauw - http://www.bn2vs.com Software craftsmanship advocate Developer at Wikimedia Germany ~=[,,_,,]:3
Perhaps this has something to do with versions of composer installed libraries drifting from the vendor repo.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
On 2015-07-24 4:21 PM, Jeroen De Dauw wrote:
Hey all,
I just noticed that MediaWiki specifies specific versions of the libraries it uses in its composer.json: https://github.com/wikimedia/mediawiki/blob/ca56f1fbc32529622cf430fe2ed44347...
To me this is somewhat surprising and not something I've seen often. Why are bugfix releases excluded from the version ranges? And is it really a good idea considering it causes the users of the latest stable MediaWiki release to download outdated versions of various libraries? https://github.com/wikimedia/mediawiki/blob/REL1_25/composer.json#L19-L29
Cheers
-- Jeroen De Dauw - http://www.bn2vs.com Software craftsmanship advocate Developer at Wikimedia Germany ~=[,,_,,]:3 _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Hi,
On 07/24/2015 04:21 PM, Jeroen De Dauw wrote:
Hey all,
To me this is somewhat surprising and not something I've seen often. Why are bugfix releases excluded from the version ranges?
Not all package maintainers follow semver perfectly. For example, the upgrade from monolog 1.11.0 -> 1.12.0 had a backwards compatibility break[1] which would have broken our logging if we had used "~1.11" in composer.json. Using a pinned version is safer to avoid BC issues and allows for controlled upgrades where developers, CI, and production are all using the same version in a predictable manner.
Normally people do this by putting ranges in the composer.json and commiting the composer.lock file to pin to a specific version, but that would prevent people from adding arbitrary dependencies to MW for extensions due to a dirty composer.lock file ([2], etc.)...so we just put the specific versions in composer.json instead.
And is it really a good idea considering it causes the users of the latest stable MediaWiki release to download outdated versions of various libraries? https://github.com/wikimedia/mediawiki/blob/REL1_25/composer.json#L19-L29
IMO yes. It means that people using git/composer are getting the same dependencies as the people using the mediawiki/vendor repo and the tarball. If there are bugfixes in libraries that affect MediaWiki, we should backport library updates just like any other bug fix that is backported.
[1] https://phabricator.wikimedia.org/T89313 [2] https://phabricator.wikimedia.org/T67188
-- Legoktm
Hey,
Not all package maintainers follow semver perfectly. For example, the
upgrade from monolog 1.11.0 -> 1.12.0 had a backwards compatibility break[1] which would have broken our logging if we had used "~1.11" in composer.json.
That is true. Often it's not pragmatic to follow to rules 100%. There'd have been no issue if the range used had been "~1.11.0". What about the libraries part of the MediaWiki project itself? Supposedly we can trust those. If we can't, that seems like a bigger problem to begin with.
Normally people do this by putting ranges in the composer.json and
commiting the composer.lock file to pin to a specific version, but that would prevent people from adding arbitrary dependencies to MW for extensions due to a dirty composer.lock file ([2], etc.)...so we just put the specific versions in composer.json instead.
Unfortunately those things are not equivalent. If you use a composer.lock, one can still run composer update. That is not only needed when one wants to get bugfixes. Imagine you want to install a MediaWiki extension that requires version "^1.0.1" of some library while MediaWiki requires "1.0.0". You end up not being able to install the extension, since MediaWiki's composer.json says "no, you can't use that bugfix". That seems like a huge usability fail to me. Am I missing something?
If there are bugfixes in libraries that affect MediaWiki, we
should backport library updates just like any other bug fix that is backported.
I hope this was meant to say "that affect *the people using* MediaWiki".
Cheers
-- Jeroen De Dauw - http://www.bn2vs.com Software craftsmanship advocate Developer at Wikimedia Germany ~=[,,_,,]:3
wikitech-l@lists.wikimedia.org