Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider using a composer.lock file #1094

Open
Pazns opened this issue Feb 19, 2022 · 6 comments · May be fixed by #1301
Open

Consider using a composer.lock file #1094

Pazns opened this issue Feb 19, 2022 · 6 comments · May be fixed by #1301

Comments

@Pazns
Copy link

Pazns commented Feb 19, 2022
edited
Loading

Baikal version: 0.9.1+

Problem you are having:
The project is not using Composer Lockfile feature. A composer.lock file :

  • locks the dependencies to confirmed working versions, for everyone ;
  • allows users to not have to trust blindly a tarball to get the "approved" dependencies ;
  • allows users to install the project by just git-pulling the project directly from Github ;
  • makes sure all users having trouble have the same dependencies and, therefore, that all issues are more easily reproduced.

Also, not using a composer.lock file is severely old sub-standard practice for a PHP Composer project.

Suggested solution:
Use a composer.lock file from now on, starting with current or next version.

The person currently uploading the installation tarball should push its composer.lock file as it can be considered the current truth.
It must be removed from .gitignore.

Using a composer.lock file doesn't prevent the current practice of making a tarball to continue.

Additional resources on this topic, as indicated by others in this thread :
https://getcomposer.org/doc/01-basic-usage.md#commit-your-composer-lock-file-to-version-control
@element-code
Copy link

https://getcomposer.org/doc/01-basic-usage.md#commit-your-composer-lock-file-to-version-control

Aditionally to comitting the lock file in the repository, the composer lock should be present in the tarball, to allow developers installing their own packages without hustle.

@wrvsrx wrvsrx mentioned this issue Jun 8, 2024
Closed
@wrvsrx
Copy link
Contributor

wrvsrx commented Nov 5, 2024

Since we have droped php 7.x, we don't need to consider the problem that php 7.x and php 8.x gives different lock files.

Should we commit a lock file to repo to make build reproducible?

@element-code
Copy link

Yes please

@ByteHamster
Copy link
Member

Doesn't the same apply to php 8.1 vs 8.2, etc, giving different lock files?

@wrvsrx
Copy link
Contributor

wrvsrx commented Nov 5, 2024
edited
Loading

According to my test, the lock file generated by php 8.2 can be used in php 8.3. But it can't be used by php 7.x. That's why I close my previous PR (At that time, baikal had not dropped php 7.x)

#1269

I'll test if the lock file is compatible from 8.1 to 8.3. If so, I'll make a PR.

wrvsrx added a commit to wrvsrx/Baikal that referenced this issue Nov 6, 2024
@wrvsrx
Add composer.lock
1907ac4 
Fix sabre-io#1094.

I generate composer.lock using php 8.1, and I have verified that the
composer.lock is compatible with php 8.1, 8.2, 8.3, 8.4.

Besides, we should always generate composer.lock using the minimium php
version that we support (For now it's php 8.1) to avoid compatibility issues.
@wrvsrx wrvsrx linked a pull request Nov 6, 2024 that will close this issue
Open
@wrvsrx
Copy link
Contributor

wrvsrx commented Nov 6, 2024

@ByteHamster Yes, php 8.1 and php 8.2 generate different lock files. But the lock file generated by php 8.1 is compatible with php 8.2/8.3/8.4. Here, "compatible" means if we first generate composer.lock using php 8.1, then run composer install using php 8.2/8.3/8.4, the lock file won't change and /vendor is created successfully.

So we can just generate the lock file using the minimum php version we support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add composer.lock wrvsrx/Baikal
Add composer.lock wrvsrx/Baikal
4 participants
@Pazns @ByteHamster @element-code @wrvsrx