Page MenuHomePhabricator
Create Task
Maniphest T237596

Add MachineVision dependencies to vendor
Closed, ResolvedPublic
Actions

Description

I'm a little confused atm. The extension has been deployed to production, but the dependancies aren't in vendor...

This in most cases should've happened first, so how is the code actually working? Or is that Google code not used?

Maybe blocked on T227346: Security readiness review for the MachineVision extension and T237588: Security review for MachineVision libraries due to the mass of dependancies brought in

mv.png (712×1 px, 130 KB)

Reviewed/already deployed:

  • davedevelopment/stiphle
  • psr/cache
  • psr/http-message
  • ralouphie/getallheaders
  • guzzlehttp/psr7
  • guzzlehttp/promises
  • guzzlehttp/guzzle
  • firebase/php-jwt
  • google/auth
  • psr/log
  • monolog/monolog

Related Objects
Search...

Event Timeline

Reedy created this task.Nov 7 2019, 12:53 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 7 2019, 12:53 AM
Reedy updated the task description. (Show Details)Nov 7 2019, 3:03 AM
Reedy updated the task description. (Show Details)Nov 7 2019, 3:05 AM
Reedy updated the task description. (Show Details)Nov 7 2019, 3:14 AM
Aklapper renamed this task from Add MachineVision dependancies to vendor to Add MachineVision dependencies to vendor.Nov 7 2019, 1:19 PM
Mholloway added a project: Product-Infrastructure-Team-Backlog-Deprecated.Nov 14 2019, 2:56 PM
Mholloway moved this task from Needs triage to Needs investigation on the Product-Infrastructure-Team-Backlog-Deprecated board.
Mholloway added a subtask: T237588: Security review for MachineVision libraries.
Mholloway subscribed.
Mholloway moved this task from Backlog to Under discussion on the MachineVision board.Nov 18 2019, 4:28 PM
Reedy changed the task status from Open to Stalled.Dec 10 2019, 8:02 PM
Reedy changed the status of subtask T237588: Security review for MachineVision libraries from Open to Stalled.
In T237588#5648874, @Mholloway wrote:

Maybe it makes most sense to wait a bit and see how much staying power this feature has. If the extension sticks around long-term, it probably makes sense to switch to the google/auth library, and maybe the full google/cloud-vision library. If not, it's probably not worth the trouble of reviewing them.

Marking stalled as per this

Mholloway edited projects, added SDC-Statements (Machine-vision-depicts); removed Product-Infrastructure-Team-Backlog-Deprecated.Feb 12 2020, 4:52 PM
Restricted Application added a project: Structured-Data-Backlog. · View Herald TranscriptFeb 12 2020, 4:52 PM
Jcross closed subtask T237588: Security review for MachineVision libraries as Declined.Feb 25 2020, 6:16 PM
Sarahmarie1981 edited projects, added WMDE-Tech-Communication-Source-Code-Berlin; removed Structured-Data-Backlog.Mar 16 2020, 3:31 PM
Aklapper removed a project: WMDE-Tech-Communication-Source-Code-Berlin.Mar 16 2020, 4:11 PM
Mholloway added a project: Structured-Data-Backlog.Mar 16 2020, 6:20 PM
hashar added a parent task: T249845: CI jobs for WMF deployed extensions should use vendor.git , not composer.Apr 9 2020, 4:34 PM
hashar mentioned this in T249845: CI jobs for WMF deployed extensions should use vendor.git , not composer.
hashar subscribed.Apr 9 2020, 4:36 PM

I am puzzled by this task. If the extension is deployed to production how does it work if the dependencies are not shipped via mediawiki/vendor?

The CI jobs for MachineVision are currently using composer to install the dependencies and I would like to change them to use vendor instead (T249845).

Reedy added a comment.Apr 9 2020, 4:57 PM
In T237596#6043847, @hashar wrote:

I am puzzled by this task. If the extension is deployed to production how does it work if the dependencies are not shipped via mediawiki/vendor?

The CI jobs for MachineVision are currently using composer to install the dependencies and I would like to change them to use vendor instead (T249845).

f32859047715e3aa5ed51564dc9b3ba9ac6295c3 - basically they were dropped

There is only monolog that is "extra", but we have that in production already, so as is, other than explicitly requiring monolog (when it's just a require-dev/suggest)

Jdforrester-WMF subscribed.EditedApr 9 2020, 5:07 PM

Currently the code is:

	"require": {
		"ext-openssl": "*",
		"monolog/monolog": "^1.24.0"
	},

Which are both met in production. The other bits were removed in https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/MachineVision/+/f32859047715e3aa5ed51564dc9b3ba9ac6295c3%5E%21/#F1

Can we declare this Resolved?

Jdforrester-WMF closed this task as Resolved.Apr 9 2020, 5:19 PM
Jdforrester-WMF assigned this task to Mholloway.

Please re-open if I'm wrong.

hashar added a comment.Apr 9 2020, 8:02 PM

Thank you!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL