As part of the Composer initiative, we need to create some Composer plugins within Drupal core. Current issues dealing with Composer plugins are:
- #2982684: Add a composer scaffolding plugin to core
- #3057094: Add Composer vendor/ hardening plugin to core
Since we're adding Composer-based plugins to Drupal core as subtree-split components, we need to be able to run their tests.
This means adding composer/composer
as a dev dependency of those components.
For components, we have historically used the wikimedia merge plugin to merge the dev dependency of components when installing or updating drupal/drupal. We can see this is the case in #2982684: Add a composer scaffolding plugin to core, which seeks to add a scaffold-building plugin to core. This plugin is not expected to be available to Composer, however, within the scope of that issue. Therefore merging the dependencies is fine for now.
In the case of #3057094: Add Composer vendor/ hardening plugin to core, however, we do expect the vendor cleanup plugin to be available to Composer when it installs and updates core locally. We need to a) Allow the plugin to do vendor cleanup during install and update before core's runtime starts, and b) Be able to patch the component and its tests, and then run the tests. This means we can't use merge to inherit the plugin's dev dependencies. That's why that issue changes the drupal/drupal package to have composer/composer as a dev dependency, along with other packages already in use in core. This is acceptable because the plan of the Composer initiative is to replace drupal/drupal with a Composer-based project that emulates the tarball style: #2982680: Add composer-ready project templates to Drupal core
The difference between those two issues explained, it seems as though reviewers here would be familiar with composer/composer since it's used all day every day to build essentially all PHP projects everywhere. :-)
composer/composer
- On packagist: https://packagist.org/packages/composer/composer
- On github: https://github.com/composer/composer
- Maintainership of the package: Total ubiquity in the PHP community. Frequent releases.
- Security policies of the package: Research continues...
- Expected release and support cycles: Frequent releases. Composer 2.0 roadmap does not have an expected release date: https://github.com/composer/composer/milestone/23
- Code quality: Mature, high coverage tests, Travis-CI: https://github.com/composer/composer/blob/master/.travis.yml
- Other dependencies it would add, if any: As of v.1.8.5, composer/composer brings along:
- symfony/finder,
- symfony/filesystem,
- seld/phar-utils,
- seld/jsonlint,
- composer/xdebug-handler,
- composer/spdx-licenses,
- composer/ca-bundle
Comment | File | Size | Author |
---|---|---|---|
#23 | 3057459_23.patch | 18.07 KB | Mile23 |
#21 | 3057459_20.patch | 18.06 KB | Mile23 |
#14 | 3057459_14.patch | 18.11 KB | Mile23 |
#14 | interdiff.txt | 3.06 KB | Mile23 |
#4 | 3057459_4.patch | 18.19 KB | Mile23 |
Comments
Comment #2
Mile23Comment #3
alexpottWe need to remember to remove the test folders from the new dependencies - ie change \Drupal\Core\Composer\Composer::vendorTestCodeCleanup()
Comment #4
Mile23Changes in #3, along with the results of this set of commands:
Comment #5
alexpottHmmm I would have expected core/composer.json to get the dependency not the root composer.json
Comment #6
Mile23Well it's not a dependency of drupal/core.
It's not really a dependency of drupal/drupal either...(Edit: See #8) It's just that we need to have it available in dev so that we can run tests for the new component.In #2982680: Add composer-ready project templates to Drupal core the plan is to sort of demote drupal/drupal such that you use it to build out your local dev version of core, but it's not the way you install Drupal to build a site. It will not be used to build the tarball download for core. That's why it's the best choice here (and in #3057094: Add Composer vendor/ hardening plugin to core).
At some point we might also end up testing components in isolation: #2943856: [meta] Reorganize Components so they are testable in isolation In that case, we can just remove the dependency from drupal/drupal. Note that this is the best solution of all, and it's probably where we'll end up if we stop using the merge plugin. #2912387: Stop using wikimedia/composer-merge-plugin
Comment #7
alexpottI dunno it feels odd to add a dependency for testing here. I think core/composer.json's dev section is best because that's where all the dev dependencies for the entirety of core testing live at the moment. Yes this isn't the best way to do it but make this the first exception without doing the rest feels odd.
Comment #8
Mile23I misspoke earlier... composer/composer actually *is* a dependency of drupal/drupal (or will be), because drupal/core-vendor-cleanup will be a dependency of drupal/drupal, and not drupal/core.
Comment #9
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented+1 for this as an interim measure. As mentioned above, this only lasts until #2943856 lands. Sounds like adding to drupal/core does not work.
Comment #10
alexpottI understand the wish to appear to do things in the way that is considered "correct" but halfway houses with things spread all over the place makes things more difficult and not less. This would be the first instance of a dev dependency in the root composer.json. Let's not do that.
Adding it to drupal/core does work because we merge dependencies. As this issue is not about #2912387: Stop using wikimedia/composer-merge-plugin let's not preempt the order that everything happens.
Comment #11
xjmThanks @Mile23 for the dependency evaluation info. Tagging.
Comment #12
xjmWe'll probably want to look at those two seld packages and add the evaluation for them as well. Not that I expect there to be a problem with the maintainership of something Composer requires. ;) But hey, left-pad. And it would be good to have the other info on things like e.g. security contacts (since Composer itself includes no concept of security releases) and their release cycles.
Thanks!
Comment #13
MixologicAs a result of the last composer initiative meeting, some of the following determinations were proposed:
1. Since drupal/drupal needs to have some sort of vendor cleanup, *but only for the short time while its still being used to create -dev tarballs*, we'll not make drupal's root composer.json rely on the new vendor test cleanup plugin. This makes us not need to concern ourselves with drupal/drupal.
2. As such, composer/composer is therefore *only* required as a dev dependency in order to test the plugin. We should put that dependency into drupal/core/composer.json's `require-dev` section.
While it might potentially 'save us time down the road' to have that dev dependency specified at the component level and allow it to be merged back up in order to test it, we dont actually know what down the road is going to look like, and dev dependencies in components add additional maintenance challenges. Which is why we came to the consensus to manage it in drupal/core/composer.json vs the require-dev section of the vendor test code cleanup plugin.
Comment #14
Mile23So at the meeting, we reached a question: Where should the development dependencies for components live?
The answer from @alexpott is that components should not have dev dependencies in their composer.json file. Dev dependencies should be declared in drupal/core, so they're in one place and easy to manage.
With that in mind, here's a patch that adds composer/composer to core/composer.json.
Comment #15
Mile23Comment #16
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedVersion of symfony/finder changed in composer.lock, which I believe is undesirable, right?
Comment #17
Mile23The process was similar to #4.
Symfony 3.4.28 was released yesterday. https://symfony.com/blog/symfony-3-4-28-released
Comment #18
MixologicRe #16: it only changed from the last patch, but its something being added currently, so may as well add the most recent version.
Im unfamiliar with the policies surrounding adding a dev requirement to core.
Is it our responsibility to ensure that, if end users do the very wrong thing and install dev dependencies on a production site, *and* those dependencies live under docroot, that the dev dependencies existence does not introduce a security issue? Because following those steps will almost certainly introduce a security issue.
These libraries should only be there if you are developing or testing drupal core itself, and should not show up for any user that is requiring drupal/core in their project. (unless somebody manually duplicates them and puts them into their project as an actual requirement that then gets added to their projects for testing purposes e.g. https://github.com/webflo/drupal-core-require-dev) but that should never be used in production and should only be used for testing a site.
Seems like the best we can do when it comes to the security of something like this is #2830880: Warn site admins when composer dev dependencies are installed inside of docroot in conjunction with #3057094: Add Composer vendor/ hardening plugin to core, and that there isn't much more process in place for coordinating security issues with the upstream dependencies themselves.
RE #12 The seld/* libraries are seldaek, aka Jordi Boggiano, the lead developer of Composer, so essentially the same degree of confidence as the rest of the composer/* libraries.
Assuming all the above is true, believe we should move forward with adding these as dev requirements.
Comment #19
larowlanThis looks good to me, needs a re-roll though. Removing the FM tag, so we just need an RM to sign off too. I'll ping them
Comment #20
Mile23Thanks, @larowlan.
Rerolled after #3055040: Roll AbstractEventDispatcherTest into ContainerAwareEventDispatcherTest
Comment #21
Mile23Imposter syndrome +1.
Comment #22
borisson_Back to RTBC as the reroll was succesful and the tests are green again. There is a .05kb size difference in the patch but that is not a lot and I am assuming it is because of different context-lines included.
Comment #23
Mile23Reroll after #3057462: Add missing packages to \Drupal\Core\Composer\Composer::$packageToCleanup
Comment #24
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedPatch still looks good; back to RTBC after re-roll & passing tests.
Comment #25
MixologicThis patch is a blocker for progress on the rest of the composer initiative, and considering that it is not a code patch, and is a policy/dependency adjustment, is there anything we can do to accelerate this to a consensus state?
Would it help to have a short meeting with the release managers to address any outstanding concerns?
Comment #27
mmjvb CreditAttribution: mmjvb as a volunteer commentedComment #28
Mile23Restarting the testbot since it looks like a lot of unrelated fails.
Comment #29
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedThanks @Mile23 - green again.
Comment #30
catchCommitted a933b3a and pushed to 8.8.x. Thanks!
Comment #33
xjmThis seems like it should probably at least have a CR. Also it should be added to the dev dependencies section here: https://www.drupal.org/core/dependencies#dev
Re: #18, two words: dev tarballs. Right?
I debated whether this merited a release notes mention, but I think probably not since it's a dev dependency and won't be included in the tagged releases, thus not affecting the thing that has the release notes. (A new production dependency should probably be mentioned alongside the dependency version updates in case some site or project required an unresolvable conflicting version of the same dependency or such.)
Comment #34
Mile23Added CR: https://www.drupal.org/node/3087622
Added to the dependencies list page: https://www.drupal.org/core/dependencies#dev
Removing the 'needs documentation update' tag because I think that's the dependencies list page, right?
Comment #35
Mixologicre #18 So how do we deprecate dev tarballs? We've went to great lengths to ensure we can still make them in d8.8/8.9 for bc sake, but it would be nice to remove that requirement entirely, unless we have a really valid use case for them. (we'd still have tarballs of -dev _versions_, just not ones that contain dev dependencies themselves).
Comment #36
Mixologicdurned drupal forms and all that caching jazz.
Comment #37
Mile23Setting RTBC so we can get a call from a maintainer abt the question in #35.
Comment #38
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedThe most common place users are going to encounter dev tarballs is when they use
drush dl
to download a dev version of Drupal. I'm not sure if we need to support running the tests in this configuration. If I had to guess, I might say that the main use-case for running tests afterdrush dl
of a dev version would be in folks' CI scripts.Comment #39
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedComment #40
catchI think it would be reasonable to remove dev dependencies from dev tarballs - opened a follow-up at #3128715: [policy, no patch] Remove dev dependencies from dev tarballs.
Moving this back to fixed.
Comment #42
quietone CreditAttribution: quietone at PreviousNext commentedpublish the cr