Project

General

Profile

Actions

Task #103082

closed

Replace former extension packages using self.version

Added by Thomas Hohn 10 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
composer
Target version:
Start date:
2024-02-08
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
13
PHP Version:
8.2
Tags:
Complexity:
Sprint Focus:

Description

The so called "death star" range for replacements has to be
used with caution [1] as it replaces all versions of the
replaced packages, including old or insecure versions.

That effectively means the replacing package marks itself as matching
in queries for insecure versions, once a security advisory2
is submitted for the replaced packages.

The extension replacements needs to be adapted to use the more precise
self.version qualifier to avoid matching named security advisories as
suggested by:
https://github.com/Roave/SecurityAdvisories/issues/127#issuecomment-1933647035

[1] https://getcomposer.org/doc/04-schema.md#replace
[2] https://github.com/advisories/GHSA-cgr9-h9qq-x9fx

Actions #1

Updated by Gerrit Code Review 10 months ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82863

Actions #2

Updated by Gerrit Code Review 10 months ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82863

Actions #3

Updated by Gerrit Code Review 10 months ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82863

Actions #4

Updated by Gerrit Code Review 10 months ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82863

Actions #5

Updated by Thomas Hohn 10 months ago

  • Description updated (diff)
Actions #6

Updated by Thomas Hohn 10 months ago

  • Description updated (diff)
Actions #7

Updated by Gerrit Code Review 10 months ago

Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82863

Actions #8

Updated by Benjamin Franzke 10 months ago

  • Subject changed from Remove reference to removed packages to Replace former extension packages using self.version
  • Description updated (diff)
Actions #9

Updated by Stefan Bürk 10 months ago · Edited

Investigation for provided change / notes

Using `self.version` for the replaces is not usable for us. The answer from `Ocramius ` in the linked issue is a generic answer, and valid for a monorepo metapackage + splitt package style, for example what symfony provides. The TYPO3 has not such a approach.

This change would render the `replaces` use-less from the original attempt. The attempt is, to silently replaces outdated/removed split packages with another image so an update simply works even if the old package is contained in the project/extension composer.json directly.

For example, having a (simplified)

{
   "require": {
      "typo3/cms-core": "^10.4",
      "typo3/cms-about": "^10.4" 
   }
}

and a upgrade will be done using:

composer require "typo3/cms-core":"^13" 

the death stare would remove the dedicated package due to the replace. With `self.version` it will complain with following errors:

Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - typo3/cms-about v10.4.0 requires typo3/cms-core 10.4.0 -> satisfiable by typo3/cms-core[v10.4.0] from composer repo (https://repo.packagist.org) but typo3/cms-core[13.1.x-dev] from path repo (../../typo3/sysext/*) has higher repository priority. The packages from the higher priority repository do not match your constraint and are therefore not installable. That repository is canonical so the lower priority repo's packages are not installable. See https://getcomposer.org/repoprio for details and assistance.
    - typo3/cms-about v10.4.1 requires typo3/cms-core 10.4.1 -> satisfiable by typo3/cms-core[v10.4.1] from composer repo (https://repo.packagist.org) but typo3/cms-core[13.1.x-dev] from path repo (../../typo3/sysext/*) has higher repository priority. The packages from the higher priority repository do not match your constraint and are therefore not installable. That repository is canonical so the lower priority repo's packages are not installable. See https://getcomposer.org/repoprio for details and assistance.
.... +xxx similar errors

Even if following is used:

composer require "typo3/cms-core":"^13" "typo3/cms-about":"^13" 

the current state would silently replace it where as the new thing would badly fail with a long list of errors. Sadly, most developers out there never really learned composer correctly and is not firm would really be confused and comming into cms channel asking for support. Just documenting it would not really help as they would not search for such things.

The pinpoint here is, that there will not be a package version for the removed version in packagist meta-data matching the same version like the other packages.

failing one and drastically making the `User eXperience` a multidude worser.

Note: this can be simply tested with following steps (with and without this change:

cd Build/composer/ && \
  rm -rf public vendor composer.json composer.lock && \
  cp composer.dist.json composer.json && \
  composer require --no-update --no-install \
    "typo3/cms-about":"^10.4" && \
  composer install && echo '>> success - yeah !' || echo '>> failed - bad'

Further handling

This requires first a deep discussion into which user experience we want to
end finally - and take than the appropiated actions.

Actions #10

Updated by Gerrit Code Review 10 months ago

Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82863

Actions #11

Updated by Gerrit Code Review 10 months ago

Patch set 1 for branch 13.0 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82841

Actions #12

Updated by Gerrit Code Review 10 months ago

Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82873

Actions #13

Updated by Gerrit Code Review 10 months ago

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82874

Actions #14

Updated by Anonymous 10 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #15

Updated by Benni Mack 4 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF