[pkg-php-pear] Bug#934104: Bug#934104: composer: Don't use debian/copyright for LICENSE when generating autoloader

Kunal Mehta legoktm at debian.org
Mon Aug 12 10:02:28 BST 2019


On 8/7/19 3:26 PM, David Prévot wrote:
>> First, vendor/ directories are no longer identical with people who use an
>> upstream version of composer or from a different distribution (example:
>> https://gerrit.wikimedia.org/r/#/c/mediawiki/vendor/+/526262/1/composer/LICENSE).
> Why is that a problem?

It causes divergence on the output of vendor/ simply based on how
composer was installed and decreases reproducibility. In cases where the
output of vendor/ is audited (like we do at Wikimedia), this is much
more noticeable.

> ...

> I’ve updated the package to provide the upstream LICENSE file from
> /usr/share/php/data/Composer, so both issues should be fixed after the
> next upload, thanks.

Thank you very much!

-- Kunal

More information about the pkg-php-pear mailing list