[pkg-php-pear] Let's reconsider the way Symfony2 Components are packaged for Debian

David Prévot david at tilapin.org
Mon May 26 18:19:49 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

Le 26/05/2014 11:53, Mathieu Parent a écrit :
> 2014-05-25 15:12 GMT+02:00 David Prévot <david at tilapin.org>:
>>> 2014-05-24 16:13 GMT+02:00 "David Prévot" <david at tilapin.org>:
>>> [...]
>>>> I have no idea how to handle multiple composer.json files with
>>>> dh_phpcomposer yet,

>> You may have missed the beginning of this thread that is about building
>> the ~30 Symfony components as binary packages from the same source
>> package (that provides each component in a subdirectory).
> 
> Is upstream doing this?

Yes. They also provide a partial read-only Git repository of each
component, the thing we are currently using. Daniel proposal is about
using the main Symfony repository as source for all binary packages.

I believe it make sense to have every component under the same version,
and that dividing the work in multiple source packages and repositories
as currently is counter-productive.

A new Symfony version often doesn’t touch all component, so the
read-only upstream Git repository of such component often has multiple
version tags for the same commit. Having a watch file claiming a new
version should be package is often a lie. That at least will make more
sense with the mew proposed global approach.

Besides the limits raised on my first message on this thread, another
negative point is about security issues: last time (I remember) a
security issue was discovered in Symfony, Debian was not affected
because it didn’t packaged the affected component, we won’t get that
lucky next time with the new approach.

Regards

David


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJTg4XEAAoJEAWMHPlE9r08EgIH/jvR7MewwPOYA5U6r9pY/pBF
98heka/TsTo/hLjtyoq8LVRf7UCN+Hn76uxU7sVj+iAseMKH1craZKEteWxS6086
hrEfcMsVq2rW7S508sjF3At4WviJAig798nbNtz/r9aUwx8P/MxJ3MwRV/4eurY+
0joXnw7A5ruqcCB7zPoP527cp7YBxedVCDAFAmrSfCjzIbBZoQk3Inz0rGRz6Knz
fs/XqLP7zAVMfNSPyOjbhToIjccNzffKEx2b4f1JgsrOCw+8GNcENyVBfwu1xj14
+0WjLTHKcip+bbcF4AP8uRqZ2TKIs136/tOVlpT9WoCsFlL9Lw/Mq8U4xa3+0JU=
=esUZ
-----END PGP SIGNATURE-----

More information about the pkg-php-pear mailing list