-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add composer.lock #5576
Add composer.lock #5576
Conversation
Thanks @onny for opening the issue, I was about to do it in the near future. I invite the maintainers of this repo to read the similar issues I opened in some other projects. |
Thank you for your contribution. I appreciate the time you invested in preparing this pull request. However, I have decided not to merge it. A Users of PHPUnit install PHPUnit using one of two mechanisms: they either download a PHP Archive (PHAR) that contains PHPUnit (and its dependencies) from I think that you should consider "installing" / using PHPUnit from a PHAR instead of installing it using Composer. |
Hi, I understand. However, I believe this request is primarily aimed at enhancing PHPunit's integration and ensuring long-term reliability for package managers like apt, rpm, yum, etc. Introducing a I understand your suggestion to use the PHAR file, which represents the "compiled" output. However, in Nix/NixOS (or any other), a source-based distribution, our preference is to compile everything rather than rely on pre-compiled binaries. Without a As a less demanding alternative, could you consider publishing the What do you think? |
Let me start by saying that the information is already there:
The
I understand that. I have been trying to raise awareness for software supply chain issues through presentations for years. So far, though, it had not occurred to me that putting
And this is why: I do not think that PHPUnit should be installed using an operating system package manager. Quoting from PHPUnit's documentation:
|
👍
It's unfortunate we didn't meet at IPC Munich; discussing this over a drink would have been enlightening!
This is relevant when someone else wants to reproduce locally the PHAR file. Without it, it's not possible to guarantee the reproducibility.
Regarding PHPUnit's installation: The primary goal here is not to encourage widespread installation via OS package managers. Instead, it's about ensuring reproducibility, which is a separate issue. Linux offers numerous ways to deploy a "binary" (app), and this request isn't about altering that. However, Nix uniquely allows defining "per project" dependencies, independent of the PHP version used in your project. This capability is demonstrated in the screencast at slide 95 of this year's IPC presentation, showcasing a project using PHP 5.6 while running PHPStan on PHP 8. Anyway, I'm looking forward to seeing how you're going to include the Have a good day. |
I think there is/was a "race condition" and you did not read #5576 (comment) before writing #5576 (comment) (or maybe I was not clear enough). TL;DR: The |
Indeed! I started my message in the train and finished it at work, I didn't see the intermediate comment. Glad to read that you're going to put it under VC ! Cool ! |
On NixOS we introduced a build helper which works great for building PHP applications from source NixOS/nixpkgs#248184
Unfortunately we're requiring the
composer.lock
file present in the source root directory. For Phpunit we manually added the composer.lock file to our derivation which requires us to update the file with every new version NixOS/nixpkgs@dfa9e40This PR adds the composer.lock file to the project source.
@drupol