| 7 Feb 2024 |
 @patka_123:matrix.org | That is a good explanation of why a lot of projects don't provide a composer.lock. The FOSS packages we maintain at $work also don't have a lock | 05:08:45 |
| @patka_123:matrix.org | In reply to @drupol:matrix.org
https://github.com/php-parallel-lint/PHP-Parallel-Lint/issues/153 that issue makes we want to reconsider adding composer.lock in nixpkgs I don't understand this. Putting a package under by-name is done for applications, so there you want a lock file. The application is the "end user" and thus decides all versions.
If you have some kind of library that might be a dependency elsewhere then the package should be in something like php83. and you still want a lock file.
We can't magically figure out at runtime which dependencies to build if there is no lockfile.
| 06:05:55 |
| @patka_123:matrix.org | Or am I missing something? | 06:06:15 |
 @etu:failar.nu | In reply to @drupol:matrix.org
Elis 🌱: Have a look at how Rector is packaged... https://github.com/rectorphp/rector Yeah... I mean... it's one way :D | 06:12:03 |
| @patka_123:matrix.org | In reply to @drupol:matrix.org
Elis 🌱: Have a look at how Rector is packaged... https://github.com/rectorphp/rector To me it makes sense. They are just "vendoring" their dependencies so they provide all dependencies for you already.
Unless you override it the dictate the exact dependencies. This seems to me the most reproducible way, isn't it?
| 06:18:45 |
| @patka_123:matrix.org | In reply to @drupol:matrix.org
Elis 🌱: Have a look at how Rector is packaged... https://github.com/rectorphp/rector * | 06:34:29 |
 @drupol:matrix.org | In reply to @patka_123:matrix.org
I don't understand this. Putting a package under by-name is done for applications, so there you want a lock file. The application is the "end user" and thus decides all versions.
If you have some kind of library that might be a dependency elsewhere then the package should be in something like php83. and you still want a lock file.
We can't magically figure out at runtime which dependencies to build if there is no lockfile.
Composer.lock should be available if and only if the package you're shipping is meant to be an application. | 08:00:03 |
| @drupol:matrix.org | In reply to @patka_123:matrix.org
To me it makes sense. They are just "vendoring" their dependencies so they provide all dependencies for you already. Unless you override it they dictate the exact dependencies. This seems to me the most reproducible way, isn't it? The vendor dir is incomplete. That's the funny part ! | 08:00:39 |
| @drupol:matrix.org | Jan Tojnar: Do you think it's ready to merge? https://github.com/fossar/nix-phps/pull/321 | 08:21:21 |
| @patka_123:matrix.org | Who can make issue labels for nixpkgs? Every language seems to have a "6.topic: java" like tag.
But there's none for php
| 11:07:07 |
| @drupol:matrix.org | In reply to @drupol:matrix.org
Let's see how they are going to react with this: https://github.com/Smile-SA/gdpr-dump/issues/95 Feel free to add your +1 and comments! | 11:07:19 |
| @patka_123:matrix.org | And is there anything (that's not too difficult) I can help with? I can't find any open packaging requests for php | 11:08:47 |
| @patka_123:matrix.org | In reply to @drupol:matrix.org
Feel free to add your +1 and comments! I'm still not sure if I agree. It can be installed with Composer and it states that it supports multiple php versions. They would also have a valid reason to not include a lock file | 11:11:55 |
| @drupol:matrix.org | If they produce a PHAR, that means that they have the composer.lock that works ! https://github.com/Smile-SA/gdpr-dump/releases/tag/4.0.3 | 11:12:50 |
| @drupol:matrix.org | That means that they can ship it. | 11:12:58 |
| @drupol:matrix.org | In reply to @patka_123:matrix.org
And is there anything (that's not too difficult) I can help with? I can't find any open packaging requests for php There are no package request AFAIK... however, there's a bug that might need some investigations here: https://github.com/NixOS/nixpkgs/issues/281584 | 11:14:42 |
| @drupol:matrix.org | And if you want to fulfill package requests: https://github.com/NixOS/nixpkgs/issues/280374 | 11:15:39 |
| @drupol:matrix.org | Another easy one: https://github.com/NixOS/nixpkgs/issues/262142 | 11:17:44 |
| @patka_123:matrix.org | In reply to @drupol:matrix.org
If they produce a PHAR, that means that they have the composer.lock that works ! https://github.com/Smile-SA/gdpr-dump/releases/tag/4.0.3 The phar just means that they also distribute an end user application.
If I have a work project and decide to use their tool and use composer for that I'd want to choose my own versions (or at least their their lock is accommodating enough).
So from their POV you can still make a valid case that a lock is not needed. And only useful if you create an end user application (which we do for nixpkgs so we can generate it ourselves)
| 11:19:12 |
| @drupol:matrix.org | Then they should provide the composer.lock file along with the PHAR file. Don't you think? | 11:19:49 |
| @drupol:matrix.org | I any case, moving the responsibility of creating the composer.lock file to the users consuming the application is a bad idea in general. They should provide it in a way. | 11:20:49 |
| @patka_123:matrix.org | They can provide it next to the PHAR, but can still decide to not put one in the repo, so end users can create one themselves | 11:21:50 |
| @drupol:matrix.org | Yes, that's the middle-ground compromise that I wrote in my message. | 11:23:04 |
| @patka_123:matrix.org | In reply to @drupol:matrix.org
Yes, that's the middle-ground compromise that I wrote in my message. Ah sorry, somehow missed that. | 11:23:42 |
| @drupol:matrix.org | 
Download image.png | 11:24:32 |
| @patka_123:matrix.org | That'd be great! | 11:28:34 |
| @drupol:matrix.org | OK we finally agree :D | 11:29:23 |
| @drupol:matrix.org | In reply to @patka_123:matrix.org
The phar just means that they also distribute an end user application.
If I have a work project and decide to use their tool and use composer for that I'd want to choose my own versions (or at least their their lock is accommodating enough).
So from their POV you can still make a valid case that a lock is not needed. And only useful if you create an end user application (which we do for nixpkgs so we can generate it ourselves)
Just FYI, the most used testing framework in the PHP ecosystem, PHPUnit... did it without any trouble... so I don't see why it wouldn't be possible somewhere else. | 11:37:41 |
| @patka_123:matrix.org | I'm not saying what should be done. Just that if they decide not to provide a lock, that their reason is also valid :) | 11:47:31 |
| @patka_123:matrix.org | Talking about phpunit. Would it be an idea to package paratest? We use that extensively and I see that it is not packaged yet | 11:48:08 |
