Problem/Motivation
This is a followup for #3096781: symfony/mime and symfony/var-dumper versions are on 5.1.7 (not an LTS) and therefore have gaps in security coverage relative to Drupal minors.
symfony/mime
, symfony/var-dumper
, and symfony/phpunit-bridge
are pinned to non-LTS 5.x versions in Drupal core. We failed to update to 5.2 versions for Drupal 9.1, so there are ten months where we are responsible for the security coverage of these components. If we can adopt 5.3 versions in time for Drupal 9.2, the gap will be shortened to four months.
Proposed resolution
-
We officially moved the release dates for 9.2 and 9.3 later in June and December respectively, in order to give us more lead time after the Symfony minor version to adopt it in core.
-
We should test Symfony their beta releases during our beta releases each minor, since their minor will be out before Drupal's. #3096781: symfony/mime and symfony/var-dumper versions are on 5.1.7 (not an LTS) and therefore have gaps in security coverage relative to Drupal minors attempted to make this happen, but encountered test failures. The goal of this issue is to try to resolve those failures with a 9.1.x patch that will not be committed, just to provide a pattern for a working patch that we can use for this in 9.2.x development.
Remaining tasks
-
Upload 9.1.x patch from previous issue.
-
Get help from Composer initiative contributors to make a working patch with Symfony 5.1.0-RC3 versions and resolve the test failures.
-
Do not commit the patch, but use it as a model for a 9.2.x / Symfony 5.2 beta patch in five months.
Comment | File | Size | Author |
---|---|---|---|
#51 | interdiff.txt | 1.46 KB | effulgentsia |
#51 | 3186364-51.patch | 13.34 KB | effulgentsia |
#46 | 3186364-46-alpha.patch | 13.29 KB | effulgentsia |
#46 | 3186364-46.patch | 13.29 KB | effulgentsia |
#42 | interdiff.txt | 1.31 KB | effulgentsia |
Comments
Comment #2
xjmPatches from the previous issue, with test failures.
Comment #3
xjmComment #4
xjmComment #6
xjmComment #7
jungleJust make tests pass.
Comment #8
junglecomposer create-project
does two things in one go from my understanding: 1) clone the project template, 2) runcomposer install
.With
--no-install
, it skips step #2 -- installation. This gives the chance to insert an extra step #2.0 changingminimum-stability
fromstable
todev
:composer config minimum-stability dev
before installation.Comment #9
jungleBTW, there is an option
--stability=STABILITY
forcomposer create-project
, but it did not work for me.Comment #10
longwaveI couldn't get the
--stability
flag to work either, I think maybe because we specify COMPOSER_ROOT_VERSION this overrides it in some way.Based on @jungle's work in #7, this patch now calculates the minimum stability of our all our vendored dependencies, and uses that to set the minimum stability of the template project. This means that in the usual case we will create a stable template, but if we happen to be testing RC (or even beta, alpha or dev) dependencies the template project will match, and this will allow the project to be installed.
The stable patch is ready for commit. The rc patch should prove that the tests still pass when we have RC dependencies.
Comment #11
longwaveComment #12
longwaveTechnically this works for all components, not just Symfony ones.
I have applied it over in #3161889: [META] Symfony 6 compatibility to get a -dev branch of behat/mink-browserkit-driver passing the Composer build tests.
Comment #13
longwaveComment #14
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedThe purpose of the
testTemplateCreateProject
is to determine if composercreate-project drupal/recommended-project
(and legacy-project) is going to work; however, this patch modifies the minimum stability of the template before testing it. This seems to imply to me that although the test will pass, the template project itself isn't going to work after the subtree splitter writes it to github, as it won't have the right minimum stability.Have I missed a step or otherwise misunderstood the intention here?
Comment #15
longwaveThe intent here is to get a green test run if a patch includes a non-stable dependency and there are no failures introduced by that dependency. The issue is that if, for example, we upload a patch that includes a beta or release candidate of Symfony, the project build test fails in
composer create-project
:I am assuming that at the moment we never actually want to commit a pre-release version of a dependency, so we don't actually want to change the template; we just want the tests to pass.
I suppose an alternative option would be to skip the project build tests entirely if we detect a pre-release dependency? Or even, don't commit anything from this issue, and just document somewhere that when testing with pre-release dependencies you also need to skip this test?
Comment #16
xjm@longwave @greg.1.anderson In fact we might actually want to make HEAD dependent on betas or RCs of Symfony minors for these components. For example:
For now, this only affects these three components, but it's going to become very important in Drupal 10 if we manage to get to Symfony 6.
Therefore, we need a way for our betas and RCs to depend on their betas and RCs, and a way to specifically allow this in the templates and metapackages for the pre-release milestones.
Comment #17
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedCurrently, an RC release has a minimum stability of RC, e.g.: 9.1.0-rc1
A stable release has minimum stability stable, though, e.g.: 9.1.2
So, I don't think we have a problem with using Symfony betas or other betas in Drupal beta releases; this should already be allowed. If I'm wrong about this, then perhaps we do need a patch, but it would be better to fix the metapackage generator instead of fixing up the metapackage mid-patch. I'm not sure why we see the problems e.g. in #15 since we have minimum stability dev in our dev project templates, which I would expect should be what the tests are using. If the issue is with project template version selection, then we should fix that and make sure we are starting with a dev project template for the test.
The problem will remain, though, is that once someone starts a site with drupal/recommended-project, they do not get any further updates that we might make to the templates, so we can expect that today, folks with Drupal 9 sites will by-and-by-large be using minimum stability stable. This makes it difficult for us to put non-stable dependencies in stable releases of drupal/core, because these will be rejected by minimum stability stable unless the non-stable dependency is listed in the top-level composer.json file, which of course we do not want.
If we thought that it would solve problems to allow the use of RC components in stable Drupal releases, then we could change the minimum stability of drupal/recommended-project to "rc" instead of "stable" for stable releases. This would probably have limited impact. Then, we'd also need to get the word out throughout the community that before anyone upgrades to Drupal whatever-it-is-we-decide (e.g. Drupal 9.2.0 stable, to use Symfony 5.3.0-rc*), then they all must update their top-level composer.json file to also allow minimum stability stable.
I don't think it would be a good idea to do the same thing for minimum stability beta, though, since this limitation (or lack of limitation) applies to all dependencies in the project. There is no technical reason why we could not pull back to beta or alpha as the required minimum stability to run Drupal. It just sort of begs the question what a "stable" release of Drupal is if we are saying that in order to make our release schedule work, we perpetually need to be running unstable versions of Symfony at the beginning of each release cycle. I think this is a bad idea; Drupal sort of decided to become beholden to the Symfony release schedule, so it would make sense to have our release schedule align with theirs somewhat so that we could release our next stable after their stable release.
Comment #18
catchAt the moment if you put a release candidate into a dev release of core, then
ComposerProjectTemplatesTest
fails. Some context on #3213295: Update Symfony 5 components to 5.3-rc1. Example here: https://www.drupal.org/pift-ci-job/2062451Bumping this to critical since it will eventually block us running on Symfony 6.
Comment #19
effulgentsia CreditAttribution: effulgentsia at Acquia commentedThere are other use-cases for wanting to know what a -dev version is equivalent to (what the most recent tagged release on the branch was). Since release managers already have to modify Drupal::VERSION whenever they make a release, and then modify it back to *-dev afterwards, I think adding another constant right below it would be the best way to add minimal work to release managers and thereby increase the likelihood of it remaining correct as releases get made.
Therefore, how about this approach that's based on that? Since this is a different approach than #10, I'm not uploading an interdiff.
Comment #21
effulgentsia CreditAttribution: effulgentsia at Acquia commentedComment #22
effulgentsia CreditAttribution: effulgentsia at Acquia commentedThis context line causes #21 to not apply on Drupal 9.3. This patch only changes that line and nothing else.
Comment #24
effulgentsia CreditAttribution: effulgentsia at Acquia commentedRight, so that's not gonna work on 9.3.x either. Since there's no release yet on 9.3.x, this patch sets it to '9.3.0-dev'.
Comment #25
alexpottThe comment could do with describing this situation. I.e. when both are 9.x.0-dev. I.e there have been no releases for that particular minor. Otherwise the
When VERSION is a "-dev" version...
comment doesn't make sense.I also wonder if this complexity is necessary.
Another approach would be to change ComposerProjectTemplatesTest to look for git tags in a minor release. If the test is not being run for a git checkout we could skip the test. And then all the complexity would be contained and there wouldn't be a confusing constant to add.
Comment #26
longwaveIsn't there an issue with #19 that the branch tests will fail if the release manager bumps VERSION_FLOOR as part of a release, but we have dependencies that aren't stable enough? IIRC we don't run tests before the "Back to dev" commit. What do we do if and when that happens? The release will already have been made with the set of dependencies that would fail this test, I think?
Basically, isn't this test trying to predict whether a future release will have the correct stability? The last release doesn't matter so much, as I think we want to know ahead of time whether the next release will be correct. But we can't always know what that next version will be!
Comment #27
effulgentsia CreditAttribution: effulgentsia at Acquia commentedThis patch only changes the comments.
Hm, yeah that could be a way to do it as well. I don't know if I'll have time today to try that, so if someone else wants to, go for it.
That's one advantage of the VERSION_FLOOR constant over doing it based on git tags. With the constant, you could post a patch that changes that constant and run that patch on DrupalCI prior to tagging the release. With the git tags approach, you'd have to either tag and run the test locally (which is time consuming) prior to pushing, or you could post a patch on DrupalCI that overrides a local variable within
ComposerProjectTemplatesTest
(which might be a little harder to remember).That's not always true. For example, you might add a beta dependency to a beta1 release. You now have 2 weeks until the RC release, but on the minute after you've tagged beta1, you haven't yet updated your dependencies to rc versions. You know you need to in the coming week or so, but you don't want HEAD failing tests in the meantime. In terms of knowing whether the next release will be correct, I think the best way is per above to post a patch that changes the constant however far in advance of the upcoming release that you want to and see if it comes back green.
Comment #28
alexpottI worry that we're introducing extra complexity for something that will not happen very often. Wouldn't it be simpler to change the minimum stability to RC in the test now and then set it back to stable when we update the dependencies. We could make the minimum stability easy to change and have document that when it is not stable there must be a @todo with a link to an issue to change it back. This way we don't pollute \Drupal with another constant that has very little use-case.
Comment #29
longwaveWe could also make the test fail if the stability set in the test doesn't match the minimum stability of all dependencies.
Comment #30
alexpott#29 sounds like a smart idea.
Comment #31
effulgentsia CreditAttribution: effulgentsia at Acquia commentedFixed.
Fixed.
Comment #32
effulgentsia CreditAttribution: effulgentsia at Acquia commented#31 should hopefully pass, since this is correct for HEAD as-is.
These two patches just change this to 'alpha' and 'RC' respectively. The first should fail, because we already have tagged releases for beta, and the 2nd should fail, because we don't actually have non-stable dependencies (per #29).
Comment #33
effulgentsia CreditAttribution: effulgentsia at Acquia commentedComment #35
effulgentsia CreditAttribution: effulgentsia at Acquia commentedComment #37
effulgentsia CreditAttribution: effulgentsia at Acquia commentedComment #40
effulgentsia CreditAttribution: effulgentsia at Acquia commentedDarn. All looks good with #37, except the "alpha" patch should have had an additional failure on 9.2.x, for specifying a lower stability than the 9.2.0-beta1 tag that's already been released, which means the
getCoreStability()
function isn't working as expected. Need to look into why.Comment #41
longwaveThe issue is that
BuildTestBase::executeCommand()
runs in a separate workspace directory, away from the checkout where the tests are actually running from:As a result
git tag
returns nothing. The reason thatassertCommandSuccessful()
succeeds is that it returns the exit code of the last part of the pipe -head -1
, which was successful (though it did nothing). Maybegit describe
is easier/more reliable than listing all tags?Comment #42
effulgentsia CreditAttribution: effulgentsia at Acquia commentedThank you! Let's see if this now has both expected failures.
Comment #43
effulgentsia CreditAttribution: effulgentsia at Acquia commented+1. I didn't know about that command. I'll make that change.
Comment #45
effulgentsia CreditAttribution: effulgentsia at Acquia commentedTo reduce noise here while I figure out how to run git commands correctly on DrupalCI, I opened #3215503: Testing issue for #3186364.
Comment #46
effulgentsia CreditAttribution: effulgentsia at Acquia commentedComment #48
effulgentsia CreditAttribution: effulgentsia at Acquia commentedYay, #46 works as expected. The first patch sets
ComposerProjectTemplatesTest::MINIMUM_STABILITY
to "stable", and that passes, because all dependencies in HEAD are stable.The second patch sets it to "alpha", and:
Therefore, this patch will allow #3213295: Update Symfony 5 components to 5.3-rc1 to add an RC dependency and change the constant to "RC".
Comment #49
catch#46 is very encouraging. Minor comments follow:
s/it/static::MINIMUM_STABILITY
- worth the duplication vs. 'it' being ambivalent, would probably replace 'it' in later inline comments in the same method too.
Tried to think of a better method name, but came up with getLeastStableStability() which is not better!
Glad we're only doing this in test coverage, reminds me of old cvs_deploy and git_deploy modules.
Comment #50
longwaveYou can pass the working dir as the second argument so it might be simpler to sayThis doesn't work as I expected, you can only have a subdirectory of a temporary working dir, ignore this.
NW for #49.1, but otherwise this is looking good to me.
Comment #51
effulgentsia CreditAttribution: effulgentsia at Acquia commentedFixes #49.1.
Comment #52
longwaveLooks good, thanks for working on this.
Comment #55
catchAlright proof will be in how we get on with the actual update issues, and then updating from them to stable versions, but this looks great.
Committed/pushed to 9.3.x and cherry-picked to 9.2.x, thanks!
Comment #56
effulgentsia CreditAttribution: effulgentsia at Acquia commentedFollow-up: #3216787: Consider alternatives to the ComposerProjectTemplatesTest::MINIMUM_STABILITY constant