breaks vendor folder statelessabilty.

[delirehberi]

Code in the below breaks the statelessability of vendor folder. I did face when I try to deploy my sylius project with nixops.
So, I can't deploy my project with use composer2nix package cause of that. Is there any option to configure this path or any plan about that?

https://github.com/Ocramius/PackageVersions/blob/1d32342b8c1eb27353c8887c366147b4c2da673c/src/PackageVersions/Installer.php#L137

[Ocramius]

The path is supposed to be the same one as the class that acts as a fallback. I'm also interested in using nixops for this, but as a first workaround, you can use --no-scripts to rely on a slower version of PackageVersions\Versions

[Ocramius]

@delirehberi to be clear: writing to vendor/ is 100% a design decision I took while writing this package. composer install is a stateful operation, which is where I put this plugin.

[delirehberi]

I get it, its ok vendor/ is stateful but in my opinion, a package folder inside the vendor/ folder must be stateless. composer install process could modify only autoloader, static files, and cache-log folders.

[Ocramius]

composer install should only be run if there is a composer.lock change - if that is true, then PackageVersions\Versions needs to change too.

The only location that is "owned" by this package is indeed vendor/ocramius/package-versions.

[delirehberi]

composer2nix turns composer.lock file to independent nix-stores. I mean, every package had own hashed nix store folder and this folder mark as readonly after package installed. It causes permission denied error if any composer script tries to write a package folder.

I said before, every package folder inside vendor/ must be stateless. Package installed, ok, don't touch this folder anymore.

[Ocramius]

I'd say "don't re-install on an already installed vendor" then?

This problem will occur with any script touching vendor BTW, so the underlying problem is not avoidable by just challenging this package's assumption: a reliable solution for storing build-time (deterministic, in this case) artifacts is needed.

[Ocramius]

Basically, this library is a compile-time step: it is functionally pure (assuming same vendor dir, an equal vendor/ocramius/package-versions/src/PackageVersions/Versions.php is produced), but it does indeed need to write to that exact location, or another location that is in vendor.

It cannot write to other locations of the project, since everything else is completely obscure to the package itself.

[delirehberi]

Thanks for responses. It`s not a package specific problem. I write a blog post about that. https://emre.xyz/composer-is-not-a-builder

[Ocramius]

It is very much a builder from my PoV: a designated build directory is missing, so you may bring that up upstream.