On Tue, Jun 3, 2014 at 2:07 AM, Bryan Davis <bd808(a)wikimedia.org> wrote:
I have converted my email on using composer to manage
a set of library
dependencies for MediaWiki-Core [0] into an RFC [1]. Work is
continuing on the implementation of this project, but there are still
debatable implementation details and the RFC process is meant to not
only validate ideas but leave behind a record of the design decisions
that have been made and trade offs that were considered in the
process.
In particular, the current draft RFC omits discussion of the concept
of library "ownership" for long term updates and security fixes and
could use more detail around the process of forking, patching and
subsequently maintaining a external library. I will attempt to fill in
some of these details as I see them over the next day or so, but now
would be a great time for people with strong ideas or opinions on
these aspects to comment on the talk page.
[0]:
http://www.gossamer-threads.com/lists/wiki/wikitech/467520?page=last
[1]:
https://www.mediawiki.org/wiki/Requests_for_comment/Composer_managed_librar…
Thanks in no small part to a reminder from Sumana, I have updated the
RFC for "Composer managed libraries for use on WMF cluster". Much of
the initial work required for this RFC has now been implemented:
* The mediawiki/core/vendor.git gerrit repository has been created.
* make-wmf-branch has been updated to branch mediawiki/core/vendor and
add it as a submodule on new 1.XwmfY branches.
* The beta cluster is tracking the current HEAD of
mediawiki/core/vendor's master branch.
* The PSR-3 logging interface and Monolog libraries have been added to
mediawiki/core/vendor via gerrit commits.
* Work is progressing to configure Jenkins/Zuul to checkout
mediawiki/core/vendor during test runs.
I would appreciate feedback on the RFC. In particular I would like to
see discussion on how we should manage tracking upstream
vulnerabilities and security patches for deployed libraries. How
should we assign "ownership" of maintaining a particular library and
what techniques can we use to ensure that vulnerabilities are patched
in a timely and responsible manner?
Bryan
--
Bryan Davis Wikimedia Foundation <bd808(a)wikimedia.org>
[[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA
irc: bd808 v:415.839.6885 x6855