Mark security-only packages as Abandoned in packagist.org
#154
Comments
And here we will generate a lot of requests and issue reports, because laminas-http is in security-only maintenance mode and laminas-mvc is using it. |
|
This is trying to monkeypatch a situation that is not caused on our side by activism on our side. The only clean solution to this issue would be to mark the library as "security-only" on packagist. OTOH: What is exactly the issue? That people are not seeing fast enough that In all three cases adding a more prominent warning plus a label As we have that (kind of) in control we can much easier provide a better solution than marking the issue as "abandoned" on packagist. Perhaps we should move the "Security only maintenance mode" message above the "To people from Russia" message. As important as that is: The maintenance message addresses more people and currently isn't visible right away when people visit the repo... |
👍🏻 And often the headline is missing: |
That would be good indeed, actively maintained packages should rely only on other actively maintained packages
I disagree: do you read every day the homepage of every package you use? I don't, but I read daily the
I understand the questions and concerns you raised, but this would have helped me no better than what it already did. The more I think about this, the more |
You may be right, but this creates frustration for the user and ends in countless requests, as the past shows. So that can't be the solution because we can't get laminas-mvc package changed over so quickly. A simple option would be to set the laminas-http to active again. (This is only one example.) |
|
security only just marks a package feature complete. regarding laminas-log, I really would encourage users to use monolog instead. Other packages, such as laminas-http, will and can support newer php versions and are therefor still security-only which includes php upgrades imho. |
Hi everybody, today we were trying to update our dependencies to
psr/log:v3, butlaminas-logconflicted because it only supportsv1.Ok, then I went to open a PR to extend its compatibility, but laminas/laminas-log#50 was already there.
I had to read all the comments, and then the
README.md, and then2020-08-03-TSC-Minutes.mdto find out it's marked assecurity-only.I would like to ask you to mark all the
laminaspackages currently voted assecurity-onlyasAbandonedin https://packagist.org/packages/laminas/: this aims to spread awareness of their status thanks to the built-in functionality ofcomposerto pop yellow warnings for abadoned packages.I am aware that, semantically, they are not really abandoned, but I think for the end user it's better than not having it marked so.
The text was updated successfully, but these errors were encountered: