Allow Composer packages to ship their own recipes #70
Comments
|
@dkarlovi I'm afraid this idea has been rejected before because Symfony Flex needs a central repository in order to implement some of the features that are planned for the coming months. I understand this may be a bummer for you, but it's common for Symfony developers to use "central repositories". They use GitHub.com as the central repository of their public code and Packagist.org as the central repository to define Composer packages. |
|
@javiereguiluz the difference is, they control their own additions to the central repository, it doesn't go through some 3rd party. |
|
Also, you still have the central repo, as stated in 4), you just don't need to go through the recipes repo. |
|
I disagree with you about the 3rd party comment. For your code you rely on a private 3rd party called GitHub.com and for the Composer packages you rely on a private 3rd party called Packagist.org (this one has open sourced some parts of it). You can get banned by them and they have Terms of Use, so your code/package can be rejected by them. The idea is to apply the same rules for symfony/recipes-contrib ... everything will be approved, except some clearly illegal things, etc. |
|
@javiereguiluz you misunderstood my "3rd party" comment, let me clarify: I'm not talking about "being free of 3rd party services" nor imply Github or Packagist or somehow free for me to use or abuse. My point is, having to go through recipes-contrib seems awkward for maintainers and might hinder common workflows. Here are some scenarios:
I'm not knocking the "central repository" part, I'm against the inclusion mechanism. If everything will be approved, why not approve it automatically, like Packagist does? Why not let maintainers have a mono-repo like Symfony itself does? Having a separate repo to do this feels like... paperwork. Thanks for your answer. |
|
@dkarlovi There is the same kind of integration workflow for debian packages in the official repos, and there's no complaint about this, because it's the best way to have control over flex packages. Bundling recipes in packages themselves would be asking something to composer, which is not the case of Flex which is just retrieving the package naturally and adds some logic afterwards if there is a recipe corresponding to this specific package. That's completely different. The goal with the Flex repos is to provide "Official" and "Contributors based" repositories to find flex packages. Maybe @fabpot will one day propose users a way to store their own Flex repositories, by open-sourcing a flex server project, like you can have your own "private packagist server", but users will need to be aware that unofficial flex repositories will offer no guarantee of the quality & compatibility official ones provide. |
There's been extreme complaints about the fact each distro needs to re-package their own stuff (and, by which, reinvent the wheel, very NIH). That's the reason Snap or Flatpak was created (again, competing standards). Also, it's common for system software to provide their own packaging spec (example: PHP, Sphinx Search) which might be used directly or extended by the distro.
Flex is, as it stands, completely dependant on Composer because it's literally a Composer plugin. Future direction might change that, of course, but currently it's exactly like that.
That's not brought into question, official repo curation would be great to have, I'm talking specifically about recipes-contrib and the way to get Flex to recognize your package as supported. |
|
To recap, everything stays as is, only change is Flex checks for recipe in |
|
About complaints, I agree I came to fast by saying there were none. The issue here is that packages need lots of validation to be integrated into the official repos, which makes the packages extremeley reliable, most of the time. For flex being a composer plugin, I never said that it was not related to composer. Flex is catching composer installations, requirements and removals, to ask Flex recipe if the composer package is available with Flex (= it has a flex recipe, and/or it is a symfony bundle that can be automatically added to the kernel if there is no recipe). Flex is not a package manager, it's a package installation/configuration automation system, that's why it's different than composer itself |
|
Composer and github gives packages, while flex integrates them to your application. The formers just put things beside your application, the latter can actually alter your application. That's not the same target, not the same validity checks to perform. I think it's legit to keep control over contrib recipes even if they are almost all accepted, they are all reviewed beforehand so you can't end up with weird things in your application, that is part of the flex responsibility. |
I wouldn't otherwise comment this part further, but since you've said "official repos", "validation" and "extremely reliable" (specifically with regards to Debian), you've named all the keywords required. :)
I understand what Flex is supposed to be (on technical level, at least). The only difference I've proposed here is that it tries to fetch the recipe from the package being installed too. To clarify again: I see great value in Flex even now (that's the reason I'm still commenting on a closed issue), This especially goes for proposed "packs" (which, in my mind, are Composer metapackages which only list the exact dependencies and optionally their exact configuration). For example, ApiPlatform could become a pack with exact versions of 3rd-party packages required and (optionally) their configuration. Let's say it needs to configure FOSOauthServerBundle in a specific way to have it work, but OauthBundle doesn't have a recipe yet. Do they submit their version of the bundle's recipe? It's not really generic so that's probably wrong. A better way would be to create a pack which would:
This way, you get to have official packs, platform vendors such as ApiPlatform or Sylius can drop their "standard editions" in favor of packs, maintainers can ship their own (default) configurations, it seems really flexible to me. |
You're trusting developers of the code being executed to know how to write the code in question, give them the benefit of the doubt they'll be able to recipe it. :) See my Debian link previous comment. In my mind, there's no issue here:
If by the end your app is broken, that's no more the issue of Flex than it is of Composer (obviously, barring bugs). Anyway, thanks for your answers, agree to disagree I guess. |
|
Note that as Flex is just a Composer plug-in (and convention) you can actually create your own plug-in for the more simpler tasks (copying files for example) ;) Flex is not doing more then you were already were able to do, it just makes it more "standard" and moderated to provide some level of quality. |
|
@sstok Sure enough, we could do it, but it's not standard, everyone will create his own plugin for Composer, and a lot of code will be duplicated unnecessarily. Knowing that in addition, a request to the server https://symfony.sh is done for each package, which is totally useless for a private package, and in addition, an unnecessary load for the server. Another problem with private packages: their are not published on Packagist, and consequently, the recipe will not be accepted in I accept the argument of security even if I do not agree with it, And the arguments of @dkarlovi explains it very well, but it concerns only the public recipes, not the private recipes. However, we can do like for @javiereguiluz For a private package, you do not use Packagist with Composer, but you use a Satis server or a VCS Repository that requires no server but is slower. @javiereguiluz, @sstok, @chalasr, @Pierstoval At this stage, you will answer me that it will soon be possible to set up a private server to solve this problem. However I would reply that it would be better to have a flexible approach, which would be a plus for the developers that we are. Composer, Yarn, NPM, Bower do it very well without private server required via GIT SSH (NPM has since added the ability to save private packages, but it pays off and optional). So for our private packages with Flex, it would give:
I am pleased to note that Symfony is heavily and increasingly inspired by what is best in the javascript world, and I can only adhere to it. And to get there, you've created this tool, Awesome! But what astonishes me is that the tool is limited, not because it is young, but by choice (In relation to the explanation given, but I'm probably wrong, and I hope ;)). However, adding flexibility isn't the fundamental principle of this Composer plugin??? I sincerely hope to reopen the debate. |
|
In response to @chalasr 's comment:
@chalasr Sorry, but I don't agree with you, and I don't see why Symfony Flex must guarantee the "security" of the application. I see rather Symfony Flex as a tool for automating tasks plugged to Composer, and I'll try to explain my point of view below. Symfony Flex is a pure plugin for Composer, It uses the event system of Composer ( Now, Imagine that Jordi and Nils had the same perspective for Composer, that is, ensure that packages downloaded from Packagist/Satis/VCS Repository Drivers, must will be validated by the Composer's team, because everything emanating from the Composer must be guaranteed: the plugin system (composer/composer#2013) would never have been created, and consequently, this plugin would never have existed either, as well as many other plugins like for example fxp/composer-asset-plugin. I'll take the example of this plugin, because it uses the events of the solver SAT (among others) to manipulate the packages before and after the resolution of the dependencies. This plugin could not exist without composer/composer#2013 and composer/composer#3171 (you can find the first negative feedback from Nils for this feature in the issue composer/composer#3116, with the same reluctances). In the end, this does not prevent in any way all developers of Oro CRM/Oro Platform, Yii Framework and other, to use this plugin despite an advanced extension of Composer, not originally planned by its creators. They use this plugin because it is a useful feature and they trust the project developer or directly to the developers of the packages. To return to Symfony Flex, The basis of this plugin is great, as is the system of shared recipes (offcial and contrib). But just like Composer has these beginnings, this plugin should set up a system to extend it, with why not, an activation by the developers in the project to avoid the "weird things" without its consent. To answer of the suggestion of @sstok in his comment:
Yes it is indeed the case, but it is frankly damaging to have to reinvent the wheel, and copy code unnecessarily, without being able to execute our plugin before or after your plugin. This vision is therefore not a "standard". Like indicated in the issue #71, I had already proposed the possibility to configure automatically the bundles (self-configuration), but this had been refused at the beginning of Symfony 2.x. Of course, I didn't wait Symfony Flex to create this feature (idem for Oro), and so I use a Composer plugin to do it. However why my plugin is it not public? Simply because it isn't "standard" to Symfony, but only for my project, that it isn't public. Of course, I could go out the base, and put it in open-source, but I considered at the time not having the time to support this kind of tool, and now, Symfony Flex could be this base. As I said at the beginning of this comment, I see much more Symfony Flex as a great automation tool to standardize the project configuration system, than a simple tool dedicated to Symfony, despite what you say, and even if you have added directly into the plugin a special configurator for the Symfony Bundles ( But for this, @fabpot would have to move in this direction, which seems to be the case with his comment in the issue #53:
Given that Composer is able to have plugins depending on other plugins, It would be great to allow a plugin to listen to events from your plugin, for example, be able to add a new configurator, or build a system for managing recipe servers. Symfony have the the power to carry this kind of tool, we only have to see what you're doing with all Symfony components used by many open-source or proprietary projects, Or your participation in PSR to be convinced. I think that a "standardized" and extensible automation tool would be great, but for that, we must accept more flexibility and openness to ideas that we had not especially had at the outset, so please, reopen this issue of @dkarlovi to continue to debate. To conclude, simplify, standardize the project configuration for any type of package, As did Composer for the dependency management, or PSR for the autoloading, the logger, the DI, the cache, the style etc... Is not this a great perspective for a tool whose main purpose is to help developers to configure their project? I know, the question is much wider than the original question (and my comment is really very long :)), but ultimately, the problem is the same: How far does Symfony Flex want to help developers for the configuration of their projects? |
OK, now you got me interested 😄 |
|
@francoispluchino Fair enough. |
All this extension system could be done by forking Flex and changing some urls, or publish your own plugin based on Flex and override some stuff in Flex. First it needs reverse engineering about the result from |
A fork, a fork a fork... and always a fork! :) The principle of this proposal is precisely to avoid fork a tool for everyone to have its tool, but have a common foundation. And currently, we cannot extend Flex given that we would have to dispatch events (among others).
It's not necessary for private recipes, but to create her own Symfony.sh server, yes, Even if it is not really necessary to do reverse engineering on the server APIs, but just look at what Flex expects, it's really simple.
That would be a good thing, but in the current state of Flex, it is not possible (see this comment of the issue #71).
Yes I confirm ;) And Composer does not need Packagist to work. We can disable Packagist and only work with a Satis private server (or other), see several private servers, but also with the VCS Repositories (Package repositories directly added to the file composer.json). In no case Packagist is a prerequisite to Compose to execute, but simply the official repository avoiding to manually add the package repositories (and removing analysis of versions). Therefore, Symfony Flex should take this feature into account, in order to work with packages not referenced on Packagist, ie private packages on Satis or VCS Repository. In the current state of progress of this plugin, https://symfony.sh is used only to retrieve package aliases, and recipes. The recipes with their aliases on https://symfony.sh for packages referenced on Packagist is a very good thing, but this is not the case for private packages, especially since aliases are not required to get recipes. In this regard, the question of fair access to such aliases, as well as potential conflicts with trademarks identifying the use of their names in aliases without authorization would be interesting, but it is another debate :). To conclude, I remain doubtful, and I still do not understand your reservations. Do not I understand you correctly? Or, Do you simply agree on the principle of adding the possibility of having recipes in the package, but also on private servers, while adding the possibility of extending the plugin with new configurators, but that the Symfony team does not want to spend time for this type of functionality but wants external contributions? |
|
FYI, pull requests on the contrib repository are now entirely managed by community (and merged automatically), see https://github.com/symfony/recipes-contrib/blob/master/README.rst for the exact rules. |
|
@fabpot Thank you for these new informations about the public packages. Are the owners (or organization users) notified when an external user pushes a pull request in the recipes-contrib repository? However, the problem is still present for private packages. |
|
If anyone is interested in this topic I tried to reverse engineer symfony/flex API and create proxy server/application to allow ship own recipes https://github.com/aurimasniekis/flex-server |
|
So, a simple question: is it possible to install private packages via flex? Or is this just impossible for now? |
|
@apfelbox Currently, it's impossible. |
|
Correction: you can install private packages, because it's Composer who installs the package. |
|
@Pierstoval Of course Composer can install private packages, the subject of the issue concerns the recipes, and so, private packages with private recipes. ;-) |
|
@francoispluchino thank you @Pierstoval thanks for the clarification, that is indeed what I meant. I want to install private recipes (a.k.a. private packages with these installation hooks). Okay, that is a feature that would be really much appreciated, to use flex outside of the OSS world, too. Especially "corporate" software often times isn't OSS, but may want to benefit from these comfort features, too. |
|
As you can see, it's a feature a lot of people are asking for, maybe we'll get it one day :) |
This PR was merged into the master branch. Discussion ---------- Remove version_aliases configuration setting `version_aliases` was a bad idea as it incurs too much manual maintenance as we need to remember to add new minor and major versions. That's fragile and we will probably forget to do it promptly. That's even worse for contributed recipes. So, instead (and as already documented in the README, so not part of the diff), the version of the recipe if the minimum version that the recipe supports. So, if there is only one recipe for version "3.3", the recipe will be applied for all versions >= 3.3 (including 3.x, 4.x, ...). If a version introduces changes that has an impact on the recipe , then a new directory with the version when the break appeared should be created with the new recipe, which makes total sense. Commits ------- 07a5c67 removed version_aliases configuration setting
If you're a package developer, you might want to opt-in to being Flex compatible. This way, you're shipping the recipe with the package, maintaining it there (each version might be different, but as they're together, they're in sync). Without this, you maintain your package in your own repo, but need to maintain a part of it somewhere else (in the recipes* repos). If you push a major release, you might have to wait for someone else to approve the PR, etc.
You could allow for packages to ship their own Symfony recipes, maybe directly inside
composer.json? It could work like this:composer.jsonto itcomposer.jsonwith the recipecomposer.jsonand supporting tag subscription notifications in packagist.orgThis might be already possible somehow, but I didn't find a reference to it. This would also mean recipes-contrib would become (mostly) obsolete because maintainers would be able to ship their own recipes, the only use case for contrib would be adding recipes to bundles where you might not be able to add recipes directly, for example with unmaintained or uncooperative projects. Recipes repo would stay in place mostly for curation purposes (as in, enumerating quality packages and providing aliases for them).
The text was updated successfully, but these errors were encountered: