Page MenuHomePhabricator

Add MachineVision dependencies to vendor
Closed, ResolvedPublic

Description

I'm a little confused atm. The extension has been deployed to production, but the dependancies aren't in vendor...

This in most cases should've happened first, so how is the code actually working? Or is that Google code not used?

Maybe blocked on T227346: Security readiness review for the MachineVision extension and T237588: Security review for MachineVision libraries due to the mass of dependancies brought in

Reviewed/already deployed:

  • davedevelopment/stiphle
  • psr/cache
  • psr/http-message
  • ralouphie/getallheaders
  • guzzlehttp/psr7
  • guzzlehttp/promises
  • guzzlehttp/guzzle
  • firebase/php-jwt
  • google/auth
  • psr/log
  • monolog/monolog

Event Timeline

Reedy created this task.Nov 7 2019, 12:53 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 7 2019, 12:53 AM
Reedy updated the task description. (Show Details)Nov 7 2019, 3:03 AM
Reedy updated the task description. (Show Details)Nov 7 2019, 3:05 AM
Reedy updated the task description. (Show Details)Nov 7 2019, 3:14 AM
Aklapper renamed this task from Add MachineVision dependancies to vendor to Add MachineVision dependencies to vendor.Nov 7 2019, 1:19 PM
Reedy changed the task status from Open to Stalled.Dec 10 2019, 8:02 PM
Reedy changed the status of subtask T237588: Security review for MachineVision libraries from Open to Stalled.

Maybe it makes most sense to wait a bit and see how much staying power this feature has. If the extension sticks around long-term, it probably makes sense to switch to the google/auth library, and maybe the full google/cloud-vision library. If not, it's probably not worth the trouble of reviewing them.

Marking stalled as per this

Restricted Application added a project: Structured-Data-Backlog. · View Herald TranscriptFeb 12 2020, 4:52 PM
hashar added a subscriber: hashar.Apr 9 2020, 4:36 PM

I am puzzled by this task. If the extension is deployed to production how does it work if the dependencies are not shipped via mediawiki/vendor?

The CI jobs for MachineVision are currently using composer to install the dependencies and I would like to change them to use vendor instead (T249845).

Reedy added a comment.Apr 9 2020, 4:57 PM

I am puzzled by this task. If the extension is deployed to production how does it work if the dependencies are not shipped via mediawiki/vendor?

The CI jobs for MachineVision are currently using composer to install the dependencies and I would like to change them to use vendor instead (T249845).

f32859047715e3aa5ed51564dc9b3ba9ac6295c3 - basically they were dropped

There is only monolog that is "extra", but we have that in production already, so as is, other than explicitly requiring monolog (when it's just a require-dev/suggest)

Currently the code is:

	"require": {
		"ext-openssl": "*",
		"monolog/monolog": "^1.24.0"
	},

Which are both met in production. The other bits were removed in https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/MachineVision/+/f32859047715e3aa5ed51564dc9b3ba9ac6295c3%5E%21/#F1

Can we declare this Resolved?

Jdforrester-WMF closed this task as Resolved.Apr 9 2020, 5:19 PM
Jdforrester-WMF assigned this task to Mholloway.

Please re-open if I'm wrong.

hashar added a comment.Apr 9 2020, 8:02 PM

Thank you!