Notes and tasks following marking of security-only packages

[weierophinney]

In preparation for marking packages as security-only and/or archiving them, I made the following notes, indicating follow-on tasks we need to track.

Packages depending on laminas-config

• laminas-i18n uses it in the AbstractFileLoader for reading from an INI file; maybe replace with hassankhan/config?
• laminas-validator uses it in tests; we can replace these with generic ArrayObject implementations.
• laminas-view uses it in tests; can likely be replaced with generic ArrayObject implementations.
• laminas-modulemanager returns config as a Config instance by default; cannot change this currently without a BC break.

Packages depending on laminas-console

• laminas-view: uses it in UrlIntegrationTest; can leave as-is, but should mark those tests deprecated
• laminas-modulemanager
  • mark Console(Usage|Banner)ProviderInterface as deprecated

Packages depending on laminas-crypt

• laminas-filter: Encrypt/BlockCipher depends on laminas-crypt
  • mark as deprecated
  • create new package delivering it, and mark as security-only
• laminas-authentication: uses Laminas\Crypt\Password\Apache and Laminas\Crypt\Utils::compareStrings
  • we can likely inline the apache password functionality, and deprecate the old functionality
  • we can likely inline the compareStrings functionality
• api-tools-oauth2: we can likely switch the implementation to use native PHP tools for bcrypt

Packages depending on laminas-db functionality

This one is kind of big. We use it in laminas-feed, laminas-validator, laminas-session, laminas-log, laminas-paginator, laminas-authentication, api-tools-oauth, api-tools-content-validation, and api-tools.

We should probably come up witha comprehensive strategy for updating these packages, by one or more of:

• Deprecations of db-based functionality, and splitting those classes to different packages.
• Additions of doctrine/dbal functionality that mimics the laminas-db functionality

Original strategy:

• Look for packages of ours that consume laminas-db functionality.
• split dependent functionality into separate packages
  • mark these as security-only
• Mark laminas-db-consuming classes deprecated
  • indicate NO guarantees of working on PHP 8
• Remove any explicit deps on laminas-db
• Add new package as a suggested package

Packages depending on laminas-dom

• laminas-test uses laminas-dom for a number of DOM/XPath assertions. It's an implementation detail, so we can adapt to use symfony/dom-crawler.

Packages depending on laminas-http

This one is kind of big. We use it heavily, as it forms the core of our MVC and by extension the laminas-api-tools; the various RPC servers; and numerous components that are tangentially related to the MVC (session, navigation, etc.).

We need a comprehensive strategy for updating these packages.

Notes:

• laminas-feed uses it in both the Reader and PubSubHubbub components. The former can likely be updated to use an alternative client by default in a new minor release, and the LaminasHttpClientDecorator can be marked deprecated. The latter uses it conditionally:

  • PubSubHubbub\Publisher uses it as an internal detail; this can be refactored.
  • PubSubHubbub stores an HTTP client as a singleton, but does not consume it itself (Subscriber consumes it, though).
  • Subscriber consumes the HTTP client, but does so as an implementation detail. We could adapt it to use an explicitly set client, and deprecate usage of the singleton client.
  • AbstractCallback stores and uses either a laminas-http response, or the package-specific HTTP response; this could be refactored to raise a deprecation notice when a laminas-http response is used.
  • CallbackInterface has methods for setting and retreiving the HTTP response, and assumes it is a PubSubHubbub\HttpResponse instance.

• laminas-validator sets a dependency on laminas-http... but does not actually use it.

• laminas-view stores a response in the Json helper, and, when invoked, sets the Content-Type header on it. (It also uses laminas-json to encode the JSON.) This can stay as-is.

• laminas-mvc clearly still uses it.

• laminas-session uses Laminas\Http\PhpEnvironment\RemoteAddress in the RemoteAddr validator to get the IP address. We can likely inline the class.

• laminas/laminas-psr7bridge bridges between it and PSR-7

• laminas-router clearly still uses it.

• laminas-authentication uses it in its Http authentication adapter. We should likely separate this one to its own package, and add a new one for PSR-7. Or just deprecate the damn package.

• laminas-test clearly still uses it.

• The various laminas-api-tools repositories still use it.

• laminas-navigation uses it for Uri-based pages.

• laminas-xmlrpc uses it for HTTP negotiation.

• laminas-json-server uses it for HTTP negotiation.

• laminas-recaptcha uses it for HTTP requests.

• laminas-twitter uses it for HTTP requests

Packages depending on laminas-json

These can all likely be inlined with usage of native JSON tools.

• laminas-view (the AbstractHtmlElement, JSON helper, JsonRenderer, and JsonModel)
• laminas-mvc (AbstractRestfulController)
• laminas-paginator (Paginator::toJson()
• api-tools-api-problem
• api-tools-content-negotiation
• laminas-json-server
• laminas-recaptcha (listed as a dependency, but never used)
• laminas-twitter

Packages depending on laminas-loader

Try and inline the required functionality where possible; otherwise, loosen up dependencies and start moving away from them.

• laminas-http (plugin class locator/loader)
• laminas-view (listed as a dependency, but never referenced)
• laminas-modulemanager (module autoloader, autoloader factory)
• laminas-diagnostics (listed as a dependency, but never referenced)
• api-tools (provides StandardAutoloader extension; not sure why)
• api-tools-admin (references StandardAutoloader in tests for retrieving autoloader config)

Packages depending on laminas-log

• laminas-view (used in one test; can likely be rewritten)
• laminas-test (listed as a dependency, but never referenced)
• laminas-navigation (listed as a dependency, but never referenced)
• api-tools-oauth2 (listed as a dependency, but never referenced)
• api-tools-doctrine (listed as a dependency, but never referenced)
• api-tools-doctrine-querybuilder (listed as a dependency, but never referenced)

Packages depending on laminas-math

• laminas-validator Used in CSRF validator for randomint - switch to native PHP functions
• laminas-captcha Used in AbstractWord for randomizing; switch to native PHP function
• laminas-xmlrpc Used in BigInteger for BigInt calculations; use native PHP functionality

Packages depending on laminas-oauth

• laminas-twitter (should likely refactor this to use a PSR-7 client)

Packages depending on laminas-serializer

This one is problematic due to usage in laminas-cache and laminas-hydrator; may need to come up with alternate plugins/strategies.

• api-tools-doctrine (listed as a dependency, but never referenced)
• api-tools-doctrine-querybuilder (listed as a dependency, but never referenced)
• api-tools-oauth2 (listed as a dependency, but never referenced)
• laminas-cache (serializers can be used as plugins)
• laminas-cache-storage-adapter-xcache (serializers can be used as plugins)
• laminas-hydrator (SerializableStrategy)
• laminas-test (listed as a dependency, but never referenced)
• laminas-view (listed as a dependency, but never referenced)

Packages depending on laminas-text

• laminas-form (listed as a dependency, but never referenced)
• laminas-captcha (used for Figlet text; can likely leave as-is and/or deprecate that captcha type)

Packages depending on laminas-uri

• api-tools-hal (used for validating URIs used as HREFs; can be refactored, as it is an internal detail)
• api-tools-rest (used during testing, as this component uses laminas-http)
• laminas-authentication (used for comparing request URI path to Authorization header URI path; used due to laminas-http)
• laminas-filter (used in UriNormalize filter; can be refactored, as it is in internal detail)
• laminas-http (used for URI representations)
• laminas-navigation (listed as a dependency, but never referenced)
• laminas-test (used for several URI assertions, as this is for the MVC, and thus uses laminas-http)
• laminas-twitter (due to usage of laminas-http)
• laminas-validator Uri validator is based on it; we should deprecate it, and provide an alternate implementation. Also, Sitemap\Loc validator uses it internally for validation of the sitemap URI; can be refactored.
• laminas-view (used internally in Sitemap helper to validate server URL; can be refactored)

[froschdesign]

I think we should create a project for this topic to track the progress and the get and give an overview.

[heiglandreas]

Is this still relevant? Do we have a project? What's the status here?

Ping @laminas/technical-steering-committee

[Ocramius]

I think the above needs to at least become a checklist, and need an assignee to pick it up :D

[froschdesign]

I will create a list on which repositories the message is missing in the readme file. (Example: laminas-log)

[froschdesign]

The message is only missing in laminas-log.

(laminas-console and laminas-mvc-console are abandoned and the repositories are archived.)

[heiglandreas]

SO who's fixing that for laminas-log?

[froschdesign]

@heiglandreas I will create a pull request.