TYPO3 is no longer installed in vendor-dir

[stucki]

According to 2d078ab, typo3/cms should always be installed in the vendor directory.

I just tried installing the latest master, but it installs TYPO3 into {$web-dir}/typo3/. In older versions, a symlink was created instead when I specified cms-package-dir.
According to the message in the commit above, this should now be the default. However it seems like this doesn't work as expected...

Here is my composer.json:

{
    "config": {
        "git-clone-depth": 100,
        "process-timeout": 900,
        "preferred-install": "dist",
        "optimize-autoloader": true
    },
    "minimum-stability": "dev",
    "prefer-stable": true,
    "repositories": [
        { "type": "composer", "url": "https://composer.typo3.org/" }
    ],
    "require": {
        "typo3/minimal": "dev-master",
        "typo3/cms-composer-installers": "dev-master"
    },
    "extra": {
        "typo3/cms": {
            "web-dir": "web"
        }
    }
}

[stucki]

@helhum Can you please take a look at this? Not sure if it's a bug or intended.

[helhum]

@stucki Hey. Thanks for your report. Since typo3/cms is not installable at all any more with current TYPO3 master (and composer installers 2.0), the configuration where to install typo3/cms is obsolete.

Previously typo3/cms was installed and then individual core extensions were symlinked to {$web-dir}/typo3/sysext (in fact the whole typo3 folder was symlinked).

Now that we use the subtree split packages, these are installed directly into the place TYPO3 expects them, which is {$web-dir}/typo3/sysext

So, yes, current behavior is intended.

[stucki]

Thanks for the feedback. Nevertheless, I'd see this as a missing feature then...

[helhum]

Nevertheless, I'd see this as a missing feature then...

Can you elaborate what exactly you miss?

[stucki]

I'm not sure if I just don't understand the concept or if I'm unaware of any planned features, but the status right now seems to be less powerful compared to before:

I would like to keep system extensions outside of the document root. It may not make a difference security-wise (because access was always possible via the symlink) but structure wise I like to have everything (or: as much as possible) that does not belong to my project in the vendor folder.

[stucki]

Related to this, I have a second question: Like you mention, typo3/cms is no longer installable. I have the possibility to require typo3/minimal metapackage, however this depends on a stable release, so I cannot use master with it right now.

For example, https://forge.typo3.org/issues/83479 was fixed a few days ago in master, but typo3/minimal depends on the last 9.0 release, so the fix is currently missing.

Is there an easy way to regain this possibility without explicitely having to specify all system extensions?

[helhum]

I'm not sure if I just don't understand the concept or if I'm unaware of any planned features, but the status right now seems to be less powerful compared to before

Well depends how you look at it.

I would like to keep system extensions outside of the document root

I agree :)

It may not make a difference security-wise (because access was always possible via the symlink) but structure wise I like to have everything (or: as much as possible) that does not belong to my project in the vendor folder

I also agree. However TYPO3 still requires core extensions to be installed in typo3/sysext/.
While we are striving to remove this limitation (in TYPO3 core), it currently still exists and there is nothing we can do about that within the composer installers.

The power of the approach having everything directly installed in typo3/sysext/ is that we won't require any symlinks to be created any more. The code is just there where it needs to be, just like for third party extensions which were always installed in typo3conf/ext/ by composer installers.

So yes, structure wise it isn't all too nice, but unavoidable when we want to avoid symlinks.
Other than theoretical issues with the structure, do you see any practical issues with that?

[helhum]

Related to this, I have a second question: Like you mention, typo3/cms is no longer installable. I have the possibility to require typo3/minimal metapackage, however this depends on a stable release, so I cannot use master with it right now

Using branches indeed is a bit more complicated. However from a composer point of view it makes sense. If you need a package in a branch, add this package as branch version to your composer.json. In your case you could add "typo3/cms-backend": "9.1.*@dev as 9.0.0" to pull this fix in (including other changes within that branch).

In general, if you need a fix for a project, I would always prefer to use a composer patch plugin over having to pull in a branch with composer.

[helhum]

Oh, and last thing. If you are concerned about security, with extension code being in document root, you may want to look at https://packagist.org/packages/helhum/typo3-secure-web

You can use this with TYPO3 8 and higher and using this will get you a directory structure with document root only containing public assets.

[helhum]

but unavoidable when we want to avoid symlinks

Hm, since I mentioned typo3-secure-web (which also uses symlinks to set up the document root),
we could indeed change composer installers to have the composer install path of all extension in vendor and create symlinks (and junctions on Windows) to the place TYPO3 requires them to be.

Shouldn't be too hard to do. Question would be. Should we do this by default (again having symlinks) or as option.

I'll re-open this here for now.

[stucki]

Thanks for the long answer.

So yes, structure wise it isn't all too nice, but unavoidable when we want to avoid symlinks.
Other than theoretical issues with the structure, do you see any practical issues with that?

I think there are no other drawbacks except this one.

Using branches indeed is a bit more complicated. However from a composer point of view it makes sense. If you need a package in a branch, add this package as branch version to your composer.json. In your case you could add "typo3/cms-backend": "9.1.*@dev as 9.0.0" to pull this fix in (including other changes within that branch).

Ok this will do, thanks. I'm still not too happy with it. I was hoping for a way to specifiy the version for all typo3/cms-* packages in a single constraint. However, I don't think that this is possible...

In general, if you need a fix for a project, I would always prefer to use a composer patch plugin over having to pull in a branch with composer.

Yes and no. The issue that I mentioned above breaks the backend for a new installation. It is definitely a bad end user experience if he expects to take a first look at the current master without being aware that this is actually 9.0 and not master...

Oh, and last thing. If you are concerned about security, with extension code being in document root, you may want to look at https://packagist.org/packages/helhum/typo3-secure-web

Looks interesting, thanks! But according to the README, it doesn't work with TYPO3 version 9. So what is correct?

Hm, since I mentioned typo3-secure-web (which also uses symlinks to set up the document root),
we could indeed change composer installers to have the composer install path of all extension in vendor and create symlinks (and junctions on Windows) to the place TYPO3 requires them to be.
Shouldn't be too hard to do. Question would be. Should we do this by default (again having symlinks) or as option.

If we can provide better security by default then I'd go for this. I know that there were issues with symlinks and I had some of them too while using Linux in Docker on Windows. However, the easy fix for this could be a configuration flag to turn symlinks on or off without any further auto-detection. What do you think?

I'll re-open this here for now.

Thanks!

[helhum]

If we can provide better security by default then I'd go for this

There is no impact on security if typo3 extensions need to be in document root for TYPO3 to work,
whether we install code directly there or just symlink code to be there.

[helhum]

Looks interesting, thanks! But according to the README, it doesn't work with TYPO3 version 9. So what is correct?

Here is the quote from the README: "While it would still be possible to require typo3/cms (the complete TYPO3 package) for TYPO3 version 8.7, it is not recommended any more and won't work with TYPO3 9."

So it is all about the typo3/cms package, which you can still use with TYPO3 8, but not with 9.
typo3-secure-web can deal with both.