On Tue, Jun 3, 2014 at 2:07 AM, Bryan Davis <bd...@wikimedia.org> wrote: > I have converted my email on using composer to manage a set of library > dependencies for MediaWiki-Core [0] into an RFC [1]. Work is > continuing on the implementation of this project, but there are still > debatable implementation details and the RFC process is meant to not > only validate ideas but leave behind a record of the design decisions > that have been made and trade offs that were considered in the > process. > > In particular, the current draft RFC omits discussion of the concept > of library "ownership" for long term updates and security fixes and > could use more detail around the process of forking, patching and > subsequently maintaining a external library. I will attempt to fill in > some of these details as I see them over the next day or so, but now > would be a great time for people with strong ideas or opinions on > these aspects to comment on the talk page. > > [0]: http://www.gossamer-threads.com/lists/wiki/wikitech/467520?page=last > [1]: > https://www.mediawiki.org/wiki/Requests_for_comment/Composer_managed_libraries_for_use_on_WMF_cluster
Thanks in no small part to a reminder from Sumana, I have updated the RFC for "Composer managed libraries for use on WMF cluster". Much of the initial work required for this RFC has now been implemented: * The mediawiki/core/vendor.git gerrit repository has been created. * make-wmf-branch has been updated to branch mediawiki/core/vendor and add it as a submodule on new 1.XwmfY branches. * The beta cluster is tracking the current HEAD of mediawiki/core/vendor's master branch. * The PSR-3 logging interface and Monolog libraries have been added to mediawiki/core/vendor via gerrit commits. * Work is progressing to configure Jenkins/Zuul to checkout mediawiki/core/vendor during test runs. I would appreciate feedback on the RFC. In particular I would like to see discussion on how we should manage tracking upstream vulnerabilities and security patches for deployed libraries. How should we assign "ownership" of maintaining a particular library and what techniques can we use to ensure that vulnerabilities are patched in a timely and responsible manner? Bryan -- Bryan Davis Wikimedia Foundation <bd...@wikimedia.org> [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855 _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l