1. It's fairly trivial to script the download and install of the ZF. (We
need an off-the-shelf, official, solution for this) Some simple logic in
a bootstrap file could do it on first run even so it need not be on the
user really.
2. Which is why we need to know how Zend plans to release fixes. A
version-targeted installation of the latest patched version should be a
minimum requirement. We should be able to get a security-patched version
of libraries without upgrading our application code to the latest stable
version. Other libraries tack a letter onto the end of the version
number for security fixes. Some designate specific versions for LTS
(long-term-support).
The issue with bundling is that it means that the framework has very
little control over security patches. This could, and likely will, lead
to the framework being blamed for users not patching their applications
as we've seen with numerous other PHP frameworks and CMS products.
Zend really needs to step up here and address the big issue of security
patching policy before it becomes an ecosystem wide problem.
K
Jordan Moore wrote:
I see two problems with requiring my users to download ZF separately:
1. It's not user friendly. Users should be able to download a single
archive, extract it, and install the application.
2. I can't guarantee compatibility with every version of ZF.
Also, if I used the same logic with all included libraries for this
application, users would need to download a total of 4 external
libraries, and I would need to account for the varying versions of all
4 libraries.
By including the external libraries in my application's distribution,
users only need to maintain a single application, not an application
and 4 libraries.
On Thu, Feb 28, 2008 at 10:53 AM, Kevin McArthur <[EMAIL PROTECTED]> wrote:
I can't see any reason the BSD license would prevent this, however, the
ideal solution would be to maintain an external reference to the official
framework repo, such that any fixes or changes could be contributed back
under the CLA and therefore available to everyone.
I'm not sure applications built upon the Zend Framework should distribute
the framework itself, as from time-to-time, there will likely be security
updates backported etc. Getting the latest version of a minor version say
1.0.3a should probably be the preferred approach.
Some leadership from Zend on the whole packaging, distribution, patching
and security issues would be nice to have though.
K
Jordan Moore wrote:
Not sure why I said MIT, since I had the license right in front of me
and it clearly says "New BSD License"... but thanks for the reply.
If anyone has an opposing opinion, let me know...
On Thu, Feb 28, 2008 at 10:35 AM, Michael B Allen <[EMAIL PROTECTED]> wrote:
On 2/28/08, Jordan Moore <[EMAIL PROTECTED]> wrote:
> I'm developing a distributable application that will be
> using/including the Zend Framework. I was planning on releasing the
> application with a Creative Commons Attribution-Share Alike 3.0
> License. Does anyone know if this is compatible with the MIT license
> that ZF is using?
ZF isn't MIT. It's BSD with no advert. Although AFAIK they are
logically identical.
Since BSD is pretty much a "do whatever you want" license then it is
basically compatible with everything. Go for it.
In fact I think you could even take ZF and s/Zend/Jordan/g and call it
"Jordan's Framework". For a while the Linux guys were taking FreeBSD
drivers and just ripping out the BSD license header and putting in the
GPL header. But I think they stopped doing that because the BSD people
became very annoyed. And rightly so since it was effectively a
one-way-street because they could not bring any GPL'd patches back
into FreeBSD.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
