Page MenuHomePhabricator

Stop using integration/composer and then archive the repo
Open, MediumPublic


Not absolutely sure we want to do this everywhere?

Related Objects

Event Timeline

modules/profile/manifests/releases/mediawiki.pp:    class { '::contint::composer': }

That is for the releases Jenkins which we should overhaul and migrate to a different system, namely using Docker / VM ( ).

modules/role/manifests/ci/slave/labs.pp:    include contint::composer

I guess we can drop that one and purge the repository from all the Jenkins agents.

modules/phragile/manifests/init.pp that is solely on WMCS.

Maybe those can be ported to wget the composer.phar, verify the checksum and put it under /usr/local/bin ? An alternative is to craft a dummy Debian package to ship the .phar which might be reasonably easy to do. Composer 1.10-1 is packaged in Debian, should be possible to backport it to all the distribution on which we need it.

For the CI containers we went to use upstream composer.phar.

For deployment of composer on WMCS instances via puppet, it seems to me a Debian package will be a better fit. So marking as being blocked by T249525: Use packaged composer.

hashar triaged this task as Medium priority.May 5 2020, 3:21 PM

Change 607858 had a related patch set uploaded (by Hashar; owner: Dzahn):
[operations/puppet@production] releases::mediawiki: remove PHP packages

Change 607858 merged by Dzahn:
[operations/puppet@production] releases::mediawiki: remove PHP packages /607858

I have cleaned the releases* hosts.

Change 675213 had a related patch set uploaded (by Hashar; author: Dzahn):
[operations/puppet@production] delete contint::composer

Change 675213 merged by Dzahn:
[operations/puppet@production] delete contint::composer

@Legoktm, is there a nice way to stop extdist still using this? Same for WMCS folk and the Toolforge usage.

I can manually re-build the repo to 1.10.22 but that won't re-generate the instances' local clones of it, I presume?

Change 683764 had a related patch set uploaded (by Jforrester; author: Jforrester):

[integration/composer@master] Upgrade composer to 1.10.22, per CVE-2021-29472

Change 683764 abandoned by Hashar:

[integration/composer@master] Upgrade composer to 1.10.22, per CVE-2021-29472


> Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system

That is really for packagist and we don't have mercurial anywhere.

I'd like to avoid upgrading composer cause I have absolutely no idea what kind of side effect it will have for us. So unless an update is really required, I do not want to update composer :)

Mentioned in SAL (#wikimedia-releng) [2021-10-11T15:35:53Z] <hashar> gerrit: marked integration/composer read-only. We are no more using it and the few use cases left are tracked at

hashar changed the status of subtask T249525: Use packaged composer from Stalled to Open.
hashar removed a project: Toolforge.

Toolforge is in progress via T287900 (thank you).

I filed T293055 for extdist which would require new VM based on Bullseye to replace the Stretch ones.