| 15 Apr 2022 |
 Pol | oui voila | 12:53:34 |
| Pol | A lot :) | 12:53:45 |
 hexa | clarity ๐ | 12:53:50 |
| Pol | yes, almost everything under 2.3.5 | 12:54:10 |
| Pol | devil lies in the details ! | 12:54:18 |
| Pol | So, what do you propose? Should I add something in a release note somewhere? | 12:54:36 |
| hexa | I love references in commit messages. Personally I'd go for:
php.packages.composer: 2.3.3 -> 2.3.5
https://github.com/composer/composer/releases/tag/2.3.4
https://github.com/composer/composer/releases/tag/2.3.5
https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
Fixes: CVE-2022-24828
| 12:56:22 |
| hexa | and release-21.11 needs to be handled separately since that version is so far off | 12:56:42 |
| Pol | Ok. | 12:57:05 |
| hexa | I see two options for release-21.11:
- backport https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709
- move to the 2.2 LTS release, which received 2.2.12
| 13:00:30 |
| hexa |
Composer 2.3 will increase the required PHP version to >=7.2.5 and thus stop supporting PHP 5.3.2 - 7.2.4.
| 13:03:42 |
| hexa | but I'd be wary of backporting too many feature bumps ๐ | 13:03:56 |
| Pol | hexa: for backporting, the branch is release-21.11? | 13:09:03 |
| hexa | yep | 13:09:13 |
| hexa | if you've never backported anything, check out the section in the contribution documentation | 13:09:51 |
| Pol | ok | 13:10:01 |
| Pol | Backport: https://github.com/NixOS/nixpkgs/pull/168785 | 13:13:08 |
| hexa | so you're kinda saying these commits never happend there:
3aa6277c43b php74Packages.composer: 2.2.9 -> 2.3.3
8bf228ce2a4 php74Packages.composer: 2.2.7 -> 2.2.9
d118f55e231 php74Packages.composer: 2.2.6 -> 2.2.7
2b225076c7d php74Packages.composer: 2.2.3 -> 2.2.6
cb9f7cafde3 php74Packages.composer: 2.2.1 -> 2.2.3
5c6e813ba3e php74Packages.composer: 2.1.14 -> 2.2.1
0782984c059 php74Packages.composer: 2.1.9 -> 2.1.14 | 13:15:43 |
| hexa | also what about breaking changes in these versions? | 13:16:18 |
| Pol | There are none | 13:18:25 |
| Pol | There are breacking changes, but for the plugin API "in" php. | 13:18:58 |
| Pol | It won't impact users. | 13:19:03 |
| hexa | fair, still need to pick up all individual commits there ๐ | 13:20:11 |
| hexa | * fair, still need to pick up all individual commits there instead of mangling your own ๐ | 13:20:31 |
| Pol | Really? | 13:21:33 |
| Pol | So, the backport I did is not good? | 13:22:02 |
| Pol | I need to replay(cherry-pick) all commits from unstable? | 13:22:28 |
 Andreas Schrรคgle | cherry-pick -x preferably. So it's trivial to cross reference if something came from master or needed to be created specifically for a release branch, which is something we are trying to avoid. | 13:24:54 |
| Pol | Ok I understand. | 13:26:48 |
| Pol | Will do that. | 13:26:50 |
