Re: [Wikitech-l] Handling support libraries that depend on php 5.6 via composer
On Mon, Jan 23, 2017 at 12:29 PM, Erik Bernhardson < ebernhard...@wikimedia.org> wrote: > * Fork the library, publish it under wikimedia/elastica, and change the > minimum version to 5.5.x This is a bit of a pain, but accomplishes the goal > You could also fork the package definition (ie. use a hand-maintained package file instead of packagist, but still refer to the upstream elastica repo in that file), that's less effort to maintain. OTOH unless they have a policy of keeping B/C with PHP 5.5, you'll probably have to fork the code sooner or later anyway. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] Handling support libraries that depend on php 5.6 via composer
Within CirrusSearch we are in the progress of updating to use elasticsearch 5.x. This has a few changes to the API, and necessitates a new version of the Elastica support library. Elastica now depends on php 5.6 (but doesn't use any special features, they are simply only supporting non-EOL php versions). This specifically becomes an issue because jenkins tests the mediawiki/vendor repo with 5.5.9, and as such the tests reject any dependency that requires >= 5.6.0. There are a few options for handling this but i wanted to see what other people think: * Fork the library, publish it under wikimedia/elastica, and change the minimum version to 5.5.x This is a bit of a pain, but accomplishes the goal * Fake the platform[1] in mediawiki/vendor composer.json. This is sub-optimal because it applies to everything, not just a single dependency. I could see us accidentally pulling in code that will not meet our requirements. * We could use `--ignore-platform-reqs` on the command line, but this has the same problem as previously * We could hope external developers will answer our pleas for supporting EOL php, but i've emailed the elastica dev and they arn't interested in supporting EOL PHP. Barring other suggestions, I'm probably going to fork and re-publish Elastica via the wikimedia github. [1] https://getcomposer.org/doc/06-config.md#platform ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] [SECURITY] Math extension - shell invocation followup
Hi, On Fri, Jan 20, 2017 at 06:47:53PM -0800, Legoktm wrote: > Somewhat related, in the last MediaWiki security release, the bugs > already have CVE numbers assigned to them. Would it be possible to get > CVE ids for extension security issues in advance as well? That shouldn't be a problem; CVE IDs can be requested in advance via this web form: https://cve.mitre.org/cve/request_id.html (In the past this was done via an email address, but they recently streamlined the process) Cheers, Moritz ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
