Problem/Motivation

DrupalKernel has this to say about the sites/X/services.yml

// Register site-specific service overrides.

However, it uses the same code as for every other service definition file. Essentially we rely on the implementation detail that a later service definition with the same name overrides an earlier one. This is really, really bad. If someone comes along and say changes the implementation to one using arrays and sorts then good luck figuring out which one wins.

Proposed resolution

Add an argument to YamlFileLoader::load(), parseDefinitions(), parseDefinition() enforcing an override and set it in DrupalKernel::buildContainer. The code does not need to change because at the end of parseDefinition() we have an explicit setDefinition (let's not dwell on why would parsing do a set instead of returning the definition and let the caller set it) which does the override already -- but that's the implementation detail that needs to be made explicit.

To clarify even further: this does not change anything in the contents of service.yml or the actual, current logic of YamlFileLoader. It, however, clarifies intent and makes it so that in a future version we do not introduce nasty and hard to find bugs. I attached a patch that just needs doxygen.

Note: normally we use PHP to alter definitions so this problem doesn't arise with modules because modules will not or at least should not override in YAML but use ->setDefinition calls.

CommentFileSizeAuthor
#6 interdiff.2291589.2.5.txt653 bytesyesct
#6 2291589_5.patch2.53 KByesct
#2 2291589_2.patch2.37 KBchx

Comments

chx’s picture

chx commented
Issue summary: View changes
chx’s picture

chx commented
Issue summary: View changes
StatusFileSize
new 2291589_2.patch2.37 KB
chx’s picture

chx commented
Issue summary: View changes
chx’s picture

chx commented
Status: Active » Needs review
dawehner’s picture

dawehner
Primary language German
commented
Issue tags: +Novice

I guess we want to expand the documentation, sorry. Tagging for novice, so something will take it over.

yesct’s picture

yesct commented
Issue tags: -Novice
StatusFileSize
new 2291589_5.patch2.53 KB
new interdiff.2291589.2.5.txt653 bytes

Let's see if I got the description correct.

(I resisted "fixing" the formatting of the other @param above this added one. That can be a separate issue, but is out of scope for this issue.)

chx’s picture

chx commented
Status: Needs review » Reviewed & tested by the community

Yes, that's all, thanks!

dawehner’s picture

dawehner
Primary language German
commented

So, how can this be RTBC if passing FALSE in now does still the same as you pass in TRUE ... so you certainly can't trust the signature at all.

chx’s picture

chx commented
Status: Reviewed & tested by the community » Needs work

Let's default to TRUE and throw an exception on FALSE then?

dawehner’s picture

dawehner
Primary language German
commented

As said on IRC I think the additional value of an API which pretends to act like we expect it, is not high.

Instead I would propose an explicit integration test coverage to ensure that later ones can override.

chx’s picture

chx commented

In theory, yes. In practice, people will change tests. Even when it has dire security consequences, they will change tests. I have seen that happening. But perhaps, with good comments to be careful in changing tests.

dawehner’s picture

dawehner
Primary language German
commented

Well, you know, even with your patch, nothing blocks people from changing the implementation, so adding tests add a level of safetyness, IMHO.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Status: Needs work » Postponed (maintainer needs more info)
Issue tags: +Bug Smash Initiative

This was an issue of a bugsmash group triage meeting. I was the only one to look at this issue and I am not sure what the next step here is. So, I will ask if this is still something to implement. And is it just adding a test? It is not clear to me.

Is this still relevant? What are the next steps?

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

amber himes matz’s picture

amber himes matz
she/her
Primary language English
Location Portland, OR USA
commented

Looking at this issue again from Bug Smash. There's been no activity for over 1 year since it was marked as Postponed (maintainer needs more info), and could be potentially be closed.

I am certainly no expert on this, but I did do some hunting for other issues related to YamlFileLoader and I learned that:

Portions of this file are a direct copy of
// \Symfony\Component\DependencyInjection\Loader\YamlFileLoader"

And, it seems, looking at other issues related to YamlFileLoader that the consensus is that Drupal's YamlFileLoader should really stay as close as possible to Symfony's. So I'm wondering if this issue should be closed a "won't fix"? Or possibly rolled in as a task with another feature request related to YamlFileLoader? Like #3111008: Use native Symfony YamlFileLoader maybe?

smustgrave’s picture

smustgrave commented
Status: Postponed (maintainer needs more info) » Closed (outdated)

Since there hasn't been a follow up going on almost 2 years going to close out. If still an issue please reopen.