Open Slamdunk opened 11 months ago
@Slamdunk
…this aims to spread awareness of their status thanks to the built-in functionality of
composer
to pop yellow warnings for abadoned packages.
And here we will generate a lot of requests and issue reports, because laminas-http is in security-only maintenance mode and laminas-mvc is using it. Therefore, the step should be well-considered, even though I can understand the background of your request/idea.
This is trying to monkeypatch a situation that is not caused on our side by activism on our side.
The only clean solution to this issue would be to mark the library as "security-only" on packagist.
OTOH: What is exactly the issue? That people are not seeing fast enough that laminas-log
is only supporting psr/logv1
? That people are asking why it's only supporting v1
? What people should do to solve their issue?
In all three cases adding a more prominent warning plus a label security-fixes-only
might help people to see much faster what the issue is.
As we have that (kind of) in control we can much easier provide a better solution than marking the issue as "abandoned" on packagist.
Perhaps we should move the "Security only maintenance mode" message above the "To people from Russia" message. As important as that is: The maintenance message addresses more people and currently isn't visible right away when people visit the repo...
Perhaps we should move the "Security only maintenance mode" message above the "To people from Russia" message.
👍🏻
And often the headline is missing:
And here we will generate a lot of requests and issue reports, because laminas-http is in security-only maintenance mode and laminas-mvc is using it.
That would be good indeed, actively maintained packages should rely only on other actively maintained packages
In all three cases adding a more prominent warning plus a label
security-fixes-only
might help people to see much faster what the issue is.
I disagree: do you read every day the homepage of every package you use? I don't, but I read daily the composer update
output.
Perhaps we should move the "Security only maintenance mode" message above the "To people from Russia" message.
I understand the questions and concerns you raised, but this would have helped me no better than what it already did.
The more I think about this, the more security-fixes-only
and abandoned
are synonym to me.
@Slamdunk
That would be good indeed, actively maintained packages should rely only on other actively maintained packages
You may be right, but this creates frustration for the user and ends in countless requests, as the past shows. So that can't be the solution because we can't get laminas-mvc package changed over so quickly. A simple option would be to set the laminas-http to active again. (This is only one example.)
security only just marks a package feature complete. regarding laminas-log, I really would encourage users to use monolog instead.
Other packages, such as laminas-http, will and can support newer php versions and are therefor still security-only which includes php upgrades imho.
Hi everybody, today we were trying to update our dependencies to
psr/log:v3
, butlaminas-log
conflicted because it only supportsv1
. Ok, then I went to open a PR to extend its compatibility, but https://github.com/laminas/laminas-log/pull/50 was already there. I had to read all the comments, and then theREADME.md
, and then2020-08-03-TSC-Minutes.md
to find out it's marked assecurity-only
.I would like to ask you to mark all the
laminas
packages currently voted assecurity-only
asAbandoned
in https://packagist.org/packages/laminas/: this aims to spread awareness of their status thanks to the built-in functionality ofcomposer
to pop yellow warnings for abadoned packages.I am aware that, semantically, they are not really abandoned, but I think for the end user it's better than not having it marked so.