Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write copy of a patch to a project directory for code review #534

Closed
4 tasks done
donquixote opened this issue Dec 8, 2023 · 6 comments
Closed
4 tasks done

Write copy of a patch to a project directory for code review #534

donquixote opened this issue Dec 8, 2023 · 6 comments
Labels
enhancement New features, options, or other additions.

Comments

@donquixote
Copy link

donquixote commented Dec 8, 2023
edited

Verification

  • I have updated Composer to the most recent stable release (composer self-update)
  • I have updated Composer Patches to the most recent stable release (composer update cweagans/composer-patches)
  • I am using one of the supported PHP versions (8.0+)
  • I have searched existing issues and discussions for my idea.
    (maybe different search terms would lead to a result - I can't say)

Is your feature request related to a problem?

For patches from root composer.json:

  • When working with remote patches, there is a risk that the same patch url might return something different in the future, possibly malicious.
  • When working with local patches, developers can easily lose track of where the patch was downloaded from. On the other hand, local patch files can be verified in a code review.

For patches from dependencies:

  • A project developer has no control over patches from dependencies.
  • A patch url from a dependency could one day return something different, possibly malicious. This is the same problem as above, just with even less control.
  • On the other hand, if we disable patches from dependency and instead define them locally (currently not possible), then it will be really hard to keep track, and create the local patch files needed for specific dependencies.

Describe your proposed solution(s)

Create a mechanism that does both:

  • The developer specifies a remote url to download the patch from. This can include patches from dependencies.
  • The patch is downloaded into a local directory inside the project, managed by version control.
  • The patch is applied. (TBD)
  • The developer can review the changes in the patch files with e.g. git diff.

All steps of this mechanism have to be part of composer-install, because new versions of dependencies might bring new patches.

TBD: The developer might want to review the patch before it is applied. Not sure how this can be done if it all has to be part of composer-install.

Describe alternatives

The patch content and/or a checksum could be written into composer.lock.

The problem with checksum is that it would be very convenient for developers to ignore a change and to think it is all good.

Additional context

No response
@donquixote donquixote added the enhancement New features, options, or other additions. label Dec 8, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 8, 2023

👋 Thanks for the idea! Please remember that this is an open source project - feature requests may or may not be implemented, and if they are, the timeline is unknown. If you need a guaranteed implementation or timeline, sponsorships are welcome!

@donquixote donquixote changed the title Write Write copy of a patch to a project directory for code review Dec 8, 2023
@cweagans
Copy link
Owner

This is already covered in the 2.0.0 beta. Patch checksums are stored in a patches lock file (separate from composer.lock because of limitations in composer 2). Please update to that beta release and let me know what you think!

@cweagans
Copy link
Owner

Closing for now, but let me know if you need something more than what 2.0.0-beta1 provides.

@donquixote
Copy link
Author

donquixote commented Dec 11, 2023
edited

Patch checksums are stored in a patches lock file (separate from composer.lock because of limitations in composer 2).

Checksums are an improvement.
But there is still the problem that reviewers would just overlook a checksum change, thinking it is "probably just a reroll".
If the entire patch is downloaded and tracked in git, then the actual functional changes will be much more visible in a review.

Please update to that beta release and let me know what you think!

Hi
I tried to test the v2 on the project I was working on.
But the 3rd party packages that introduce patches still required the v1 of composer-patches. So I stopped it for now.
I even tried "2.something as 1.something", but this ran into an incompatibility somewhere.
I should give it another go.

@donquixote
Copy link
Author

donquixote commented Dec 11, 2023
edited

This is already covered in the 2.0.0 beta.

Is there an existing issue, change record or PR to look at?

@donquixote
Copy link
Author

donquixote commented Dec 11, 2023
edited

I see:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New features, options, or other additions.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cweagans @donquixote