Open Slamdunk opened 11 months ago
froschdesign
commented
11 months ago @Slamdunk
…this aims to spread awareness of their status thanks to the built-in functionality of
composerto pop yellow warnings for abadoned packages.
And here we will generate a lot of requests and issue reports, because laminas-http is in security-only maintenance mode and laminas-mvc is using it. Therefore, the step should be well-considered, even though I can understand the background of your request/idea.
heiglandreas
commented
11 months ago This is trying to monkeypatch a situation that is not caused on our side by activism on our side.
The only clean solution to this issue would be to mark the library as "security-only" on packagist.
OTOH: What is exactly the issue? That people are not seeing fast enough that laminas-log is only supporting psr/logv1? That people are asking why it's only supporting v1? What people should do to solve their issue?
In all three cases adding a more prominent warning plus a label security-fixes-only might help people to see much faster what the issue is.
As we have that (kind of) in control we can much easier provide a better solution than marking the issue as "abandoned" on packagist.
Perhaps we should move the "Security only maintenance mode" message above the "To people from Russia" message. As important as that is: The maintenance message addresses more people and currently isn't visible right away when people visit the repo...
froschdesign
commented
11 months ago Perhaps we should move the "Security only maintenance mode" message above the "To people from Russia" message.
👍🏻
And often the headline is missing:
Slamdunk
commented
11 months ago And here we will generate a lot of requests and issue reports, because laminas-http is in security-only maintenance mode and laminas-mvc is using it.
That would be good indeed, actively maintained packages should rely only on other actively maintained packages
In all three cases adding a more prominent warning plus a label
security-fixes-onlymight help people to see much faster what the issue is.
I disagree: do you read every day the homepage of every package you use? I don't, but I read daily the composer update output.
Perhaps we should move the "Security only maintenance mode" message above the "To people from Russia" message.
I understand the questions and concerns you raised, but this would have helped me no better than what it already did.
The more I think about this, the more security-fixes-only and abandoned are synonym to me.
froschdesign
commented
11 months ago @Slamdunk
That would be good indeed, actively maintained packages should rely only on other actively maintained packages
You may be right, but this creates frustration for the user and ends in countless requests, as the past shows. So that can't be the solution because we can't get laminas-mvc package changed over so quickly. A simple option would be to set the laminas-http to active again. (This is only one example.)
boesing
commented
11 months ago security only just marks a package feature complete. regarding laminas-log, I really would encourage users to use monolog instead.
Other packages, such as laminas-http, will and can support newer php versions and are therefor still security-only which includes php upgrades imho.
Hi everybody, today we were trying to update our dependencies to
psr/log:v3, butlaminas-logconflicted because it only supportsv1. Ok, then I went to open a PR to extend its compatibility, but https://github.com/laminas/laminas-log/pull/50 was already there. I had to read all the comments, and then theREADME.md, and then2020-08-03-TSC-Minutes.mdto find out it's marked assecurity-only.I would like to ask you to mark all the
laminaspackages currently voted assecurity-onlyasAbandonedin https://packagist.org/packages/laminas/: this aims to spread awareness of their status thanks to the built-in functionality ofcomposerto pop yellow warnings for abadoned packages.I am aware that, semantically, they are not really abandoned, but I think for the end user it's better than not having it marked so.