[Pkg-xmpp-devel] Bug#932564: movim: should not use composer’s autoloader at runtime

Thorsten Glaser t.glaser at tarent.de
Tue Nov 19 21:40:35 GMT 2019 

retitle 932564 movim: should not use composer’s autoloader at runtime
severity 932564 wishlist
thanks

On Sat, 20 Jul 2019, David Prévot wrote:

> I just noticed that the movim package depends on composer. Looking
> further, it seems to use the ClassLoader feature of Composer.
> 
> I’m not sure this is a proper (nor optimal) way to load classes in a
> production system, I’m not even confident that’s a secure way to do it.

It’s good enough for now.

> I thus would like to advise the use of a tool like phpab in order to
> generate an autoload at build time, and let movim use this static
> autoload at run time.

This would require binNMUs every time a dependency changes.
I’d prefer to not do this.

If I get a really good reason to write an own autoloader implementation
similar to composer’s and use it instead, I might just do that, but I
looked at the implementation, and it’s suitable for now.

> Maybe some movim dependencies are affected by a similar issue, I didn’t

No, we’re installing them into /usr/share/php/ in a way that
the include path contains them correctly, which we use in the
composer autoloader invocation:

	$movim_autoloader->setUseIncludePath(true);                                                                      

> I’d like to advise hosting those dependencies under the “Debian PHP
> PEAR (and Composer) Maintainers” umbrella by the way.

Are you kidding me? We’ve asked the PHP maintainers, ahead of
time, multiple times, and never got *any* kind of usable reply,
nor any kind of assistance regarding the way we should install
and use the libraries. It’s a bit surprising you complain *now*
about *both* the way we use them (autoloader) *and* where they
are hosted, when the PHP packagers have been extremely unhelpful
when we asked.

We would have liked to have them maintained by people who know
what they’re doing, but it turned out that it’s better to do it
ourselves, perhaps not in the same style but not too badly, than
to be under the umbrella of an unresponsive team.

bye,
//mirabilos
-- 
Yes, I hate users and I want them to suffer.
	-- Marco d'Itri on gmane.linux.debian.devel.general

More information about the Pkg-xmpp-devel mailing list