Hi,
I'd like to add my extension https://github.com/DanweDE/mediawiki-ext-UserBitcoinAddresses as "mediawiki/user-bitcoin-addresses" in packagist.
When trying to do so, packagist states I should ask someone with the proper rights to maintain the "mediawiki" vendor.
I have read up on
https://www.mediawiki.org/wiki/Manual:Developing_libraries#Packagist_guideli...
And I wrote two of the guys listed to have access to the "mediawiki" vendor account but I am not sure I am getting a reply so I thought I'd also try it through this channel.
Any advice how I'd get my GitHub repo on packagist under the "mediawiki" vendor would be highly appreciated.
Cheers, Daniel
On Tue, Jul 21, 2015 at 6:52 AM, Daniel Werner daniel.a.r.werner@gmail.com wrote:
Hi,
I'd like to add my extension https://github.com/DanweDE/mediawiki-ext-UserBitcoinAddresses as "mediawiki/user-bitcoin-addresses" in packagist.
When trying to do so, packagist states I should ask someone with the proper rights to maintain the "mediawiki" vendor.
I have read up on
https://www.mediawiki.org/wiki/Manual:Developing_libraries#Packagist_guideli...
And I wrote two of the guys listed to have access to the "mediawiki" vendor account but I am not sure I am getting a reply so I thought I'd also try it through this channel.
Any advice how I'd get my GitHub repo on packagist under the "mediawiki" vendor would be highly appreciated.
Migrate the origin repository to the Wikimedia gerrit hosting where the MediaWiki developer community has access to fix security issues and I'll be glad to make sure that Packagist integration is setup properly from there. You are of course free to publish your extension under your own vendor prefix, but if you want to take advantage of the MediaWiki vendor prefix the MediaWiki community needs to be be able to assert some measure of control over the published package.
On a semi-related note, use of autoload.files to register an extension with MediaWiki after installation via Composer should be considered a deprecated feature [0].
[0]: https://phabricator.wikimedia.org/T467#1464482
Bryan
On Tue, Jul 21, 2015 at 2:29 PM, Bryan Davis bd808@wikimedia.org wrote:
Migrate the origin repository to the Wikimedia gerrit hosting where the MediaWiki developer community has access to fix security issues and I'll be glad to make sure that Packagist integration is setup properly from there. You are of course free to publish your extension under your own vendor prefix, but if you want to take advantage of the MediaWiki vendor prefix the MediaWiki community needs to be be able to assert some measure of control over the published package.
That could also be done via a Wikimedia organization on GitHub, if we don't want to force specific workflows on developers. Although it certainly makes life easier if all "official" extensions share the same code review and CI infrastructure.
Hey Bryan,
What exactly justifies such an authoritarian "need to go though some permission process" setup? Exactly what problems are we currently seeing? I'm very sceptical about such an approach. Sure you can say things such as that I'd be nice for other people to have access. The reality is that most people don't care about most extensions and that a lot of them end up being unmaintained and very low quality to begin with. Telling volunteers they should go follow a process they do not want to follow and that they should use a code hosting service they do not want to use has its down sides. This was also not done in the past. You did not need approval to create a "certified MediaWiki extension" or something like that.
Cheers
-- Jeroen De Dauw - http://www.bn2vs.com Software craftsmanship advocate Developer at Wikimedia Germany ~=[,,_,,]:3
On Tue, Jul 21, 2015 at 5:42 PM, Jeroen De Dauw jeroendedauw@gmail.com wrote:
Hey Bryan,
What exactly justifies such an authoritarian "need to go though some permission process" setup? Exactly what problems are we currently seeing? I'm very sceptical about such an approach. Sure you can say things such as that I'd be nice for other people to have access. The reality is that most people don't care about most extensions and that a lot of them end up being unmaintained and very low quality to begin with. Telling volunteers they should go follow a process they do not want to follow and that they should use a code hosting service they do not want to use has its down sides. This was also not done in the past. You did not need approval to create a "certified MediaWiki extension" or something like that.
As of https://github.com/composer/packagist/issues/163#issuecomment-99673878 Packagist itself has created this restriction of vendor namespaces actually indicating some level of ownership. A vendor is a supplier of a good or service. Publishing something as mediawiki/* is explicitly claiming affiliation with the MediaWiki open source project. As such it seems not unreasonable to ensue that projects claiming to be supplied by the MediaWiki community actually are indeed serviceable by that community. Note that there is no form of restriction for publishing a package that provides a MediaWiki extension or other related functionality under another namespace.
I would certainly welcome an RfC discussion of the current policy and a potential replacement. From my point of view, use of the MediaWiki brand implies endorsement by the MediaWiki community and thus should only be easily available to projects that are able to be contributed to and managed by that community. If for example a serious security flaw was found in a mediawiki/foo package on Packagist the community should be empowered to fix it.
Bryan
Bryan Davis bd808@wikimedia.org writes:
On Tue, Jul 21, 2015 at 5:42 PM, Jeroen De Dauw jeroendedauw@gmail.com wrote:
What exactly justifies such an authoritarian "need to go though some permission process" setup? Exactly what problems are we currently seeing?
I would certainly welcome an RfC discussion of the current policy and a potential replacement. From my point of view, use of the MediaWiki brand implies endorsement by the MediaWiki community and thus should only be easily available to projects that are able to be contributed to and managed by that community. If for example a serious security flaw was found in a mediawiki/foo package on Packagist the community should be empowered to fix it.
This discussion is at least tangentially related to the IdeaLab project that Chris Koerner and I formulated at Wikimania:
https://meta.wikimedia.org/wiki/Grants:IdeaLab/Making_Gerrit_access_easier_f...
There are benefits to using the Gerrit.w.o -- the git repository that most MW-experienced developers are using, and where they have rights to upgrade code (e.g. the i18n conversion to json) -- instead of Github, Assembla, Kiln, or Bitbucket.
We've done a poor job of explaining the benefits, though, and, more than that, providing an infrastructure that developers not deeply involved with the WMF can use, though.
I invite your comments on the IdeaLab proposal page. Maybe it means improving MediaWiki support for developers on GitHub, but if that is the route we go, then we need to figure out a way to do that.
Mark.
Thank you folks!
I guess I wasn't logged in when I first tried. It works fine now [0]. Anyhow, I am with Gergo and Jeroen on the issue of code hosting and I chose to use GitHub. I also have lots of extensions on WM's facilities and won't change that in the near future but I am switching to GitHub as I am maintain more and more also non-MW related packages there and I feel like it is less troublesome even though I have also worked on Gerrit for 19 months on a daily basis when working as part of the Wikidata team. Also, some of the biggest MW extensions such as "Semantic MediaWiki" and "Maps" seem to be hosted on GitHub already and I can not see how they would lack any support from our community in terms of contributions.
Cheers, Daniel
[0]: https://packagist.org/packages/mediawiki/user-bitcoin-addresses
On 22 July 2015 at 00:57, Bryan Davis bd808@wikimedia.org wrote:
On Tue, Jul 21, 2015 at 5:42 PM, Jeroen De Dauw jeroendedauw@gmail.com wrote:
Hey Bryan,
What exactly justifies such an authoritarian "need to go though some permission process" setup? Exactly what problems are we currently seeing? I'm very sceptical about such an approach. Sure you can say things such
as
that I'd be nice for other people to have access. The reality is that
most
people don't care about most extensions and that a lot of them end up
being
unmaintained and very low quality to begin with. Telling volunteers they should go follow a process they do not want to follow and that they
should
use a code hosting service they do not want to use has its down sides.
This
was also not done in the past. You did not need approval to create a "certified MediaWiki extension" or something like that.
As of https://github.com/composer/packagist/issues/163#issuecomment-99673878 Packagist itself has created this restriction of vendor namespaces actually indicating some level of ownership. A vendor is a supplier of a good or service. Publishing something as mediawiki/* is explicitly claiming affiliation with the MediaWiki open source project. As such it seems not unreasonable to ensue that projects claiming to be supplied by the MediaWiki community actually are indeed serviceable by that community. Note that there is no form of restriction for publishing a package that provides a MediaWiki extension or other related functionality under another namespace.
I would certainly welcome an RfC discussion of the current policy and a potential replacement. From my point of view, use of the MediaWiki brand implies endorsement by the MediaWiki community and thus should only be easily available to projects that are able to be contributed to and managed by that community. If for example a serious security flaw was found in a mediawiki/foo package on Packagist the community should be empowered to fix it.
Bryan
Bryan Davis Wikimedia Foundation bd808@wikimedia.org [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Gerrit is too unpredictable for users: https://phabricator.wikimedia.org/T86476#1462980 . It's probably easier and more functional to create some "mediawiki-users" vendor on packagist and let any MediaWiki sysadmin (not developer) join to add the packages they need for whatever reason.
Nemo
On Wed, Jul 22, 2015 at 7:13 AM Federico Leva (Nemo) nemowiki@gmail.com wrote:
Gerrit is too unpredictable for users: https://phabricator.wikimedia.org/T86476#1462980 . It's probably easier and more functional to create some "mediawiki-users" vendor on packagist and let any MediaWiki sysadmin (not developer) join to add the packages they need for whatever reason.
Forcing people to use Gerrit is quite possibly a violation of the Geneva Convention.
-Chad
Le 22/07/2015 16:13, Federico Leva (Nemo) a écrit :
Gerrit is too unpredictable for users: https://phabricator.wikimedia.org/T86476#1462980 . It's probably easier and more functional to create some "mediawiki-users" vendor on packagist and let any MediaWiki sysadmin (not developer) join to add the packages they need for whatever reason.
Nemo
About https://gerrit.wikimedia.org/r/#/c/225663/ which states:
Revert "Convert to globals and add composer support"
The RfC for adding composer support for extensions was declined. We should not be adding composer support to more extensions.
Which removes: https://gerrit.wikimedia.org/r/#/c/190027/14/composer.json,unified
And honestly I am confused. From my understanding we wanted to come in a position where we use composer to download the packages and resolve the dependencies then the extension loader, potentially having the extension loader as a composer plugin.
wikitech-l@lists.wikimedia.org