[pkg-php-pear] Let's reconsider the way Symfony2 Components are packaged for Debian

Mathieu Parent math.parent at gmail.com
Tue May 27 14:36:02 UTC 2014


2014-05-26 20:19 GMT+02:00 David Prévot <david at tilapin.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi,
>
> Le 26/05/2014 11:53, Mathieu Parent a écrit :
>> 2014-05-25 15:12 GMT+02:00 David Prévot <david at tilapin.org>:
>>>> 2014-05-24 16:13 GMT+02:00 "David Prévot" <david at tilapin.org>:
>>>> [...]
>>>>> I have no idea how to handle multiple composer.json files with
>>>>> dh_phpcomposer yet,
>
>>> You may have missed the beginning of this thread that is about building
>>> the ~30 Symfony components as binary packages from the same source
>>> package (that provides each component in a subdirectory).
>>
>> Is upstream doing this?
>
> Yes. They also provide a partial read-only Git repository of each
> component, the thing we are currently using. Daniel proposal is about
> using the main Symfony repository as source for all binary packages.

OK

> I believe it make sense to have every component under the same version,
> and that dividing the work in multiple source packages and repositories
> as currently is counter-productive.
>
> A new Symfony version often doesn’t touch all component, so the
> read-only upstream Git repository of such component often has multiple
> version tags for the same commit. Having a watch file claiming a new
> version should be package is often a lie. That at least will make more
> sense with the mew proposed global approach.

OK. But I think this is a bad behavior upstream. Horde is a good citizen here.

> Besides the limits raised on my first message on this thread, another
> negative point is about security issues: last time (I remember) a
> security issue was discovered in Symfony, Debian was not affected
> because it didn’t packaged the affected component, we won’t get that
> lucky next time with the new approach.

OK.



More information about the pkg-php-pear mailing list