Hi Dmitry,
Le 13/01/2021 à 07:34, Dmitry Smirnov a écrit :
On Wednesday, 13 January 2021 9:36:37 AM AEDT David Prévot wrote:
Interestingly, commenting
require_once 'Composer/Autoload/ClassLoader.php';
in "/usr/share/civicrm/vendor/autoload.php" produces the following error
that specifically mention Composer:
~~~~
Fatal error: CRM_Extension_ClassLoader::register():
[…]
So it looks like phpab needs to scan "CRM" directory but that yields
the following error:
~~~~
Multiple declarations of trait(s), interface(s) or class(es).
Could not generate autoload map.
Unit 'crm_pledge_export_form_map' defined in:
- /build/civicrm-5.33.1+dfsg1/CRM/Grant/Export/Form/Map.php
- /build/civicrm-5.33.1+dfsg1/CRM/Pledge/Export/Form/Map.php
~~~~
That allowed you to discover an actual upstream oversight: both files
are (bit to bit) identical. You can safely add
--exclude /usr/share/civicrm/CRM/Grant/Export/Form/Map.php
to you phpab call. That file redefines CRM_Pledge_Export_Form_Map (it
even pretends that “[t]his class gets the name of the file to upload”),
and report it upstream. Please, do report it upstream.
Looks like ripping out Composer might not be worthy of effort...
The above makes me think otherwise :). I suppose
CRM_Grant_Export_Form_Map is never used (yet it is mentioned in
CRM/Grant/Task.php) but detecting such issue at build time instead of
waiting for something bad to happen at runtime seems definitively worth
the effort.
Why do we even want to get rid of it? As I've mentioned, I _want_ to
expose system libraries to minimise vendoring.
About vendoring, I notice you bundle components that are actually
available as Debian packages (e.g., symfony). I wonder which one will
actually be loaded if packages offering the same classes you’re
vendoring are installed.
I noticed your following comment:
//Incompatible with Symfony Component(s) 4+:
yet ~4.4 is explicitly allowed composer.json (but I agree that 3.4.40 is
shipped according to composer.lock), did you dig up the actual problem?
Security issues are found in PHP code all the time, given how poorly
maintained some packages are (either upstream or downstream), exposing
them all to your users is definitely something you want to avoid IMHO.
Regards
David