Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:104008
Return-Path: <alice@librelamp.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25913 invoked from network); 2 Feb 2019 04:37:50 -0000
Received: from unknown (HELO librelamp.com) (45.79.96.192)
  by pb1.pair.com with SMTP; 2 Feb 2019 04:37:50 -0000
DKIM-Filter: OpenDKIM Filter v2.11.0 librelamp.com 23CC21146
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=librelamp.com;
	s=libre2019; t=1549070285;
	bh=UAbnIrnhJnmSwlDDAgWkEqCmX6yY7eR8K6Mu9TIM+EQ=;
	h=Subject:To:References:From:Date:In-Reply-To:From;
	b=ck/haL8HcQg0rmxzrslW5GgbL5L6o60+TOqDl1BkMFPNJv4qzeChFui8FVmYldWur
	 ZNY1H1xvpBhOUV3ixzx1BuikOVpxwF+eThWxQ1YQdUECppbcUMV4fZmVPSKLkmXre6
	 gubE9S3qhANeoPsJKUxTZxEbNdrVlz0H7eblBrJ2SHK21Sf05OaR0c7R7SwRMZC2DP
	 zKj/01OFcY7gwtSrqet9D6lhQ3aP3guG1MqReNiv09XNSffB4Tuub4+9m9p/Fo9smw
	 6ffvLoEknugaa2sMZm1FCbPF6avW8GaOFvdOV3EYdVvTJFnfgrpZwW47HSc+LpSh+R
	 MCcXBfIkzum7g==
To: internals@lists.php.net
References: <CAF+90c-B=xU9phGNxcRvZE+2c1RkKvsiDXU0qzWJdU_U3Tskag@mail.gmail.com>
 <7a909cd3-5d0f-8f2e-fba8-009778311bf0@php.net>
 <CAOwTYAspymG1HVBWSNGeuSK+gHcnBoxG599wqyD2-NDbOPeCfg@mail.gmail.com>
 <CAAfnsFUiV25V=BO3+iU63FM3U0jKbnL5AOTL0=+x1tt6v3Agow@mail.gmail.com>
 <db1bacc7-e64d-e2bf-5c41-81521359e29a@librelamp.com>
 <CAAfnsFX2JTUPX8ishkc0-=R0fbs_KSAQou3Da9Sb7Jtoz-c5Xg@mail.gmail.com>
Message-ID: <77f41814-bb27-bdf0-44d3-d59b64de7d45@librelamp.com>
Date: Fri, 1 Feb 2019 17:18:04 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <CAAfnsFX2JTUPX8ishkc0-=R0fbs_KSAQou3Da9Sb7Jtoz-c5Xg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Disable PEAR by default
From: alice@librelamp.com (Alice Wonder)

On 2/1/19 5:12 PM, Peter Kokot wrote:
> Hello,
> 
> On Sat, 2 Feb 2019 at 02:08, Alice Wonder <alice@librelamp.com> wrote:
>> I do not like composer. A problem I have encountered, a project
>> specifies a version for a dependency.
>>
>> That version has vulnerability, developer fixed it in newer release, but
>> composer keeps pulling in the older version because that is what
>> composer provides.
>>
>> And it can be the dependency of a dependency of a dependency.
>>
>> I do not like Composer.
>>
>> Adding a "recognition page" while cutting PEAR off also seems, well, slimy.
> 
> Frankly, this is irrelevant. If you don't use Composer, that's your
> choice. PEAR isn't maintained and will cause similar issues all the
> time. Not removing this installation option from php-src in the near
> future means maintaining patches for all that time this option will be
> present in the PHP and shipping separate pear package for all Linux
> distributions. I don't like the sound of that.
> 
> 

Many PEAR packages are maintained, and they are globally installed 
meaning when a vulnerability is found, there is one to be fixed and 
everything on the system is fixed.

Composer is like static linking compared to PEAR which is liked shared 
linking.

Yes it's my opinion, it just seems that deprecating it is a reactionary 
decision caused by the current unfortunate situation, but there's no 
reason why Composer will not also have the same issue as the current 
situation. All it takes is hijacking a github account and trojan updates 
are easy to push through composer.

So what problem is this really solving?