Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:125940
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 95B031A00BD
	for <internals@lists.php.net>; Mon, 11 Nov 2024 08:38:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1731314466; bh=fGtMxzZzUzK94Lac9tp4R555vIuvujVZxZLMRTJdQPg=;
	h=Date:From:To:In-Reply-To:References:Subject:From;
	b=l79OiNoQdP7NMuPZgx1wqUtqWjAuvJgYTQ3Nm0Djp5UElINHY/nIdeBIA5rCNiIvi
	 vmpFWh8INE/cRO2J1XO43oMug7gm37KaahnT2B2R7+cUp+NVaFJB44J7Mmxr6pncmZ
	 ovcGOJS/+FNmikh4ACH9AE23txRwmQttgWxLMZGYbDC0ZbX92xGmRx0a/4drSEgHA3
	 Y3eE88UlL5uYqjFm+BjS6ACwSXJNmNEZZEYOwANXUJvMDUvSrPKUy3DM/uJLpecwT9
	 I1L0JpJHZNfpCc76YlYE4V0LtM8sAjkd1kAks55G8/UwnonTBDlDbby0zUg70c7df6
	 WzAkacjJ8g+aA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 40070180037
	for <internals@lists.php.net>; Mon, 11 Nov 2024 08:41:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,RCVD_IN_DNSWL_LOW,
	SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <larry@garfieldtech.com>
Received: from fhigh-b5-smtp.messagingengine.com (fhigh-b5-smtp.messagingengine.com [202.12.124.156])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 11 Nov 2024 08:41:04 +0000 (UTC)
Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41])
	by mailfhigh.stl.internal (Postfix) with ESMTP id A6ABD25400D9
	for <internals@lists.php.net>; Mon, 11 Nov 2024 03:38:29 -0500 (EST)
Received: from phl-imap-06 ([10.202.2.83])
  by phl-compute-01.internal (MEProxy); Mon, 11 Nov 2024 03:38:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	garfieldtech.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to; s=fm3; t=1731314309; x=1731400709; bh=kTpIUsf8JKTH36P2b5dTO
	wT4hsF/7iSqTXkaYs285Ps=; b=uO3CTFq1dPlvRRaU4pzQFPjrU6S1rG35bO/6A
	tfFt9MxT+b954zYtpHD8fzyUwn3ccoQRF4dil1SSBqGnw7IWQjp5cf76con172C+
	SB1/GQHsb5IugQQnZXaGaCQpkHX2G1Htav1HJ3T+fsxYoiA0mfZ5atAXfQF4rss3
	4+ZPiLuThh/8KhjBzv2F/p4Ez89AoGfxBrnnTlW0/ms6IgCq4wnRKB355VOvoAlK
	CkDCl+B4GovbGpc2RIK78d+5oy0foCsLZats+SN6vBu/miRq7X/zvL60BEmoZxvj
	CwGSGX5N7AkKsbsC6IF74V3wWTiItuKKKAA5XtQwq1+i5aYGw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm3; t=1731314309; x=1731400709; bh=k
	TpIUsf8JKTH36P2b5dTOwT4hsF/7iSqTXkaYs285Ps=; b=hRfJoAVauVHSB6fxE
	ksw//jgEMWEUAxiLKjdHUauQIvZEGNPuE0W+uSZ6CvembFKg50xYC9UkxZAtg+OZ
	L4/dfRKCOZoxzihvxYYusObjCgKy+do0B0MRR6FrpG1F7KHSFqH6auWKZSunvAOn
	GtZG21NOQxSC68ujfXM9fPESqB2rLbBDiNhJsW6XmzoWQ53dpT04yedQpVsa5sbm
	tLSgVewfyeLoaNuaajARQGEowpO9GBcQM9O58QFgZQgW6s6eTd+ZaWS0mHiuF1xv
	QxL0ufYlR+8uuRcDxxh9QS5D83LIelzSSrVRUGsGgCrPRs1mfaSZ3Lj3nuk78CWI
	5jHIw==
X-ME-Sender: <xms:hcIxZwZS2ZBUXaGPbplzA_9M0_wofbFKgtMgaOJhHg39mSFXu1EOLQ>
    <xme:hcIxZ7ZstwWwfGwAY4SNG6dQ2urHxd7en8ycrCsaRA7GH-nCN5mKhiJFnGRKyqNfB
    FdSRbEFEs3h4A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddruddugdduvdduucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh
    htshculddquddttddmnecujfgurhepofggfffhvffkjghfufgtgfesthhqredtredtjeen
    ucfhrhhomhepfdfnrghrrhihucfirghrfhhivghlugdfuceolhgrrhhrhiesghgrrhhfih
    gvlhguthgvtghhrdgtohhmqeenucggtffrrghtthgvrhhnpeffieeivdfhvdeguddttdeg
    teeiueegvefhteehfeeffeetudeitdehtdegjeeuieenucevlhhushhtvghrufhiiigvpe
    dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlrghrrhihsehgrghrfhhivghlughtvggt
    hhdrtghomhdpnhgspghrtghpthhtohepuddpmhhouggvpehsmhhtphhouhhtpdhrtghpth
    htohepihhnthgvrhhnrghlsheslhhishhtshdrphhhphdrnhgvth
X-ME-Proxy: <xmx:hcIxZ68l7T3qgEMhVGWpzi7fIMh3XuH7nKDx3HOEMDZKxo7tXbxzAg>
    <xmx:hcIxZ6qxCzJC4SnfSPWcCD8KZC0BC9oY-RrfUNLk8WhO2IcP60NuHA>
    <xmx:hcIxZ7ollUE4Oo7hZaDPtrONtJ-rVOrbBcTddZ-kG_X8uiO4MHkjCw>
    <xmx:hcIxZ4TIxIAFaRdoEUY9jGGFgWXvY0VqCDhCfxmanpVqNC48cnL9Qg>
    <xmx:hcIxZ1FAPNlvrrl4d5FgomzDWnSFctAAMvH90VUUQ-CqEMI-705p40GX>
Feedback-ID: i8414410d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501)
	id 2495329C006F; Mon, 11 Nov 2024 03:38:29 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Date: Mon, 11 Nov 2024 02:38:08 -0600
To: "php internals" <internals@lists.php.net>
Message-ID: <65a90257-b9d1-4ff2-9d4c-b4c4b6c7d4b2@app.fastmail.com>
In-Reply-To: <1265782C-6018-40B9-84FD-0F22BF4DEECE@getmailspring.com>
References: <2bdad6e0-e5e0-48a6-bbd3-b938804287ca@app.fastmail.com>
 <1265782C-6018-40B9-84FD-0F22BF4DEECE@getmailspring.com>
Subject: Re: [PHP-DEV] [RFC][Vote] Policy on third party code
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: larry@garfieldtech.com ("Larry Garfield")

On Mon, Nov 11, 2024, at 1:14 AM, John Coggeshall wrote:
> On Nov 11 2024, at 12:03 am, Larry Garfield <larry@garfieldtech.com> w=
rote:
>>=20
>> First off, the obligatory "it was open for discussion for a month, an=
d now you mention this?"
>
> I apologize for that, wasn't intentional. Unfortunately a whole pile o=
f=20
> personal matters landed on my head between ... let's say October and=20
> November 6th that kept me from focusing on internals. As might be=20
> expected, the vote refocused my attention.

Quite...=20

> I think this is worth discussing a bit more below,...
>
> TL;DR; I will at a minimum abstain from voting on this rather than vot=
e=20
> "no" as my intent isn't to derail progress here.

Thank you.  I appreciate your openness here.

> As I eluded to above, I am certainly not suggesting we endorse a singl=
e=20
> framework. I guess at the end of the day I've got a number of issues=20
> with the specifics of the language around how decisions are made in=20
> this doc, but I will concede that at least there is a document here=20
> that can be refined which is indeed a step forward. If you're=20
> interested some the concerns I have are (I'm focused on the maintainer=20
> bits below but I think they also largely apply to the marketing=20
> criteria as well):
>
>  =E2=80=A2 I don't think the "version 1.0" requirement is a good one, =
only=20
> because I strongly suspect it wouldn't take me very long to find a ver=
y=20
> reasonable library that for whatever reason is 0.8 or something... so=20
> now it can't be used, unless there is an RFC?

See, I find the 1.0 requirement far less arbitrary than the minimum main=
tainers requirement.  Assuming the library is following semver (most do,=
 mostly), having a 1.0 gives us a reasonable expectation that the API wo=
n't change out from under us in a minor release.  In a 0.x, that is by d=
efinition a risk, making it not necessarily stable enough to trust.  (Th=
ere are indeed some libraries that stay in 0.x land forever, despite bei=
ng well maintained.  These maintainers are Doing It Wrong(tm) and need t=
o stop.)

>  =E2=80=A2 I don't understand what the point of the "Explicitly approv=
ed" list=20
> is, if the point is any and all libraries which meet the acceptance=20
> criteria can be used without asking for permission then they are by=20
> default approved, right?

The criteria are by necessity squishy.  They're guidelines and heuristic=
s, but the PHP ecosystem is far too complex for a series of yes/no binar=
ies to make sense in most cases.  And different people will no doubt int=
erpret different cases differently.

So as a hypothetical, suppose someone tries to mention ramsey/uuid on a =
marketing page.  Another person objects, saying that it isn't important =
enough of a library to the ecosystem as a whole to warrant a mention.  W=
e resolve that conflict by having an RFC to add ramsey/uuid to the "this=
 is definitely OK according to these criteria" list.  If it passes, then=
 we've resolved it: Mentioning ramsey/uuid is now explicitly OK on marke=
ting pages, and if someone objects in the future we can say "look, we al=
ready voted on it and decided it was OK.  Stop fussing."

>  =E2=80=A2 The library should have an active developer community of at=
 least 2=20
> developers, and the library should have an currently active developmen=
t=20
> history of at least 1 year.=20

I see the intent here, to ensure a library isn't going to be abandoned. =
 However, the vast majority of libraries are single-developer.  Even tho=
se that have contributions from others are realistically one-person-proj=
ects.  Looking at ramsey/uuid again (sorry Ben, don't mean to pick on yo=
u), ramsey himself has 705 commits.  Dependabot is #2.  The second human=
 is jmauerhan at 35, so around 5% ish as many, all before 2020.  Does th=
at count as an "active developer community of at least 2"?  I'd say no. =
 But that library is a staple of the ecosystem and has been for over a d=
ecade.  It's not going anywhere.  It's probably more reliably maintained=
 than many 2-3 person projects that never really got off the ground.  So=
 even if we could quantify what counts as "2 active developers", it's st=
ill a fairly poor signal of reliability.

--Larry Garfield