> I was going to mention Puli too. Not because of all its features, but because
> it contains a very simple solution to a wider problem: locating resources.
If you think Puli is simple, we can agree to disagree.
I make a sharp distinction between simple and easy - Puli aims to make
dependency management easy, but doing everything Puli does for assets
requires a complex system. It's not simple.
Don't get me wrong - the complexity in Puli is justified for all the
tasks it makes easy: mapping, locating, publishing, minifying,
The problem is, I don't have any of those requirements - so it solves
a bunch of problems that I don't have.
> your proposition only solves how to expose them, which is quite restrictive
>From your point of view, this is restrictive, because you have all of
>From my point of view, it's liberating, because I have none of those
Or rather, I choose to address them at a different level - I don't
view tasks such as compiling, minifying, serializing, etc. as run-time
tasks at all. I view them strictly as design-time tasks - I perform
those tasks ahead of run-time, and ship the ready, published,
minified, serialized assets as pre-baked static files that I check
There is also the case where scripts receive no design-time processing
and are simply hand-written and checked in. For that scenario, having
any sort of run-time overhead or server-side complexity is completely
Standardizing for the simple case is simple.
If you wanted to standardize the far more complex case, that's going
to require an entirely different, far more complex standard.
On Tue, Oct 18, 2016 at 10:51 AM, Matthieu Napoli <matth...@mnapoli.fr> wrote:
> Hi Rasmus,
> I was going to mention Puli too. Not because of all its features, but
> because it contains a very simple solution to a wider problem: locating
> Puli encourages to have a `res/` directory containing all resource files
> (just like `src/` contains all source files). Resources include assets,
> configs, templates, etc. Because the problem with everything that is not a
> source file is "how to locate it" (for source files we have the autoloader).
> Once an application can locate assets, it can publish them, minify them,
> etc. The standard would avoid deciding what to do with assets (whereas your
> proposition only solves how to expose them, which is quite restrictive). The
> less the standard expects the better.
> Le mardi 18 octobre 2016 10:08:56 UTC+2, David Négrier a écrit :
>> Hey Rasmus,
>> Another thing came to my mind. Your proposal looks awfully similar to Rob
>> Loach's component system.
>> Have you had a look at it? =>
>> Any thoughts about that? Shouldn't we consider building on this existing
>> The difference is that Rob Loach has an implementation of a Composer
>> installer instead. So rather than working on a specification, he directly
>> created an implementation. Which is actually fine because you don't need a
>> framework for your assets to be copied (they are copied/linked by the
>> component-installer composer plugin that is a dependency of your asset
>> What would be the value of an Asset-PSR (if you want to build a PSR out of
>> it), instead of Rob's direct implementation?
>> Best regards,
>> Le lundi 17 octobre 2016 21:57:20 UTC+2, Rasmus Schultz a écrit :
>>> A lot of people do a lot of things wrong. In my opinion, it's better to
>>> create simple things that are easy to learn to use correctly - as opposed to
>>> creating complex things that supposedly shield you from making mistakes.
>>> Often such things provide only a false sense of security - and usually you
>>> can break them and hurt yourself anyhow.
>>> Most server side components have some kind of client side footprint -
>>> URLs or HTML class names etc which can be used to figure out what you're
>>> I really don't think it's within the scope of this specification to teach
>>> OWASP 101? Package names are obviously revealed in the URLs - it's hardly a
>>> hidden detail, it's basically the whole concept.
>>> In my opinion, there is no security problem inherent in this idea, unless
>>> you create one.
>>> On Oct 17, 2016 9:30 PM, "Sven Sauleau" <sven.s...@gmail.com> wrote:
>>>> Using this standard, people can know what packages you are using because
>>>> of its predictable paths. Some packages are running server-side code as
>>>> as exposing public assets.
>>>> I said (in the comments of the gist) that exposing stuff is the
>>>> responsibility of the developer. I’m sure some people will be confused and
>>>> disclose informations they shouldn’t (as mention by Fabien).
>>>> Le lundi 17 octobre 2016 16:43:25 UTC+9, Rasmus Schultz a écrit :
>>>>> I wrote a draft for a simple scheme for the inclusion of static assets
>>>>> in (Composer) packages.
>>>>> Not submitting this or anything, just dumping it here to start a
>>>>> discussion :-)
>>>> You received this message because you are subscribed to a topic in the
>>>> Google Groups "PHP Framework Interoperability Group" group.
>>>> To unsubscribe from this topic, visit
>>>> To unsubscribe from this group and all its topics, send an email to
>>>> To post to this group, send email to php...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to a topic in the
> Google Groups "PHP Framework Interoperability Group" group.
> To unsubscribe from this topic, visit
> To unsubscribe from this group and all its topics, send an email to
> To post to this group, send email to firstname.lastname@example.org.
> To view this discussion on the web visit
> For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "PHP
Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.