OK so I want to use php-opencloud and was quite chargined to find this in the install instructions:

You must install this library through Composer:

# Install Composer
curl -sS https://getcomposer.org/installer | php

# Require php-opencloud as a dependency
php composer.phar require rackspace/php-opencloud

Now I'm sure a lot of people are very excited by composer. I am not so excited.

Can anyone suggest a way that I might run these commands in a chroot jail or something so that I can truly understand what files are downloaded, what sites are accessed, what local files are changed, etc.?

Rants in favor of or against composer are also welcome.

I have never used Composer, but if you peruse /r/php on reddit, you will notice that pretty much everyone there uses it. I have read about its popularity a lot.

TBH - I didn't know anyone actually used composer. Its in the instructions for a lot of libraries I've used - but I've never once HAD to use composer to get something working.

Bonesnap;11051059 wrote:

I have never used Composer, but if you peruse /r/php on reddit, you will notice that pretty much everyone there uses it. I have read about its popularity a lot.

Heroin is also increasingly popular, but I'm not hoping to jump on that bandwagon either

I'm certainly aware of its popularity (and vaguely aware of laravel and such) but, being security-minded, I really am not crazy about the idea of introducing more automation and delegating automatic code installation to dubious legions of coders I don't know. I'm certainly dependent on ubuntu's package management (apt) but justify that one by the enormous volumes of time it saves me -- I'd otherwise be sorting out dependencies and downloading source and running buildconf/make/make install/etc. I find it nearly impossible to believe that installing php-opencloud is going to be a nasty job of tracking down dependencies.

Derokorian;11051067 wrote:

TBH - I didn't know anyone actually used composer. Its in the instructions for a lot of libraries I've used - but I've never once HAD to use composer to get something working.

Nah I haven't used it either. Just curious though. Was hoping to run composer in some kind of chroot jail or something just to see what dependencies it might have fetched to save myself time.

Anyone who wants to affirm the need for non-composer install here is most welcome
https://github.com/rackspace/php-opencloud/issues/634

LOL please make composer secure, dated more than 3 years ago! What I know of the PHP community is very few even consider security, so good luck finding a system built in a secure manner to manage libraries.

I'm still at ends with you on the apt thing. I absolute hate aptitude and rely as little as possible on apt if stuck on a debian system. I do use yum quite a bit on RHEL systems, but never for primary application purposes (aka apache, and php never come from YUM). To each his own though, I'll do it my way and you do it yours.

PS. The RCE thread for composer just made me happier that I'm not using it LOL

Derokorian;11051077 wrote:

LOL please make composer secure, dated more than 3 years ago! What I know of the PHP community is very few even consider security, so good luck finding a system built in a secure manner to manage libraries.

Sadly, I agree with this. It makes me regret having chosen PHP as my web dev language. On the other hand, perhaps it presents an opportunity for security consulting? :evilgrin:

Derokorian;11051077 wrote:

I'm still at ends with you on the apt thing. I absolute hate aptitude and rely as little as possible on apt if stuck on a debian system. I do use yum quite a bit on RHEL systems, but never for primary application purposes (aka apache, and php never come from YUM). To each his own though, I'll do it my way and you do it yours.

Oh come now it's OK to use yum but not apt? Also, I would imagine that once you use either to install anything, your system is potentially compromised. Just curious what "non-primary application purposes" you might use it for.

Personally, I figure "apt-get install blah blah" saves me so much time I am just resigned to using it. There's also apt-get update and apt-get upgrade which will automagically update everything for me to whatever the busy team of package maintainers have managed to establish as the latest package (which is not always as recent as I would like).

If you disagree, perhaps you could share some of your recipe for setting up a server and keeping packages up-to-date? I also wonder if software updates have a tendency to break things. With cloud computing these days, it's a bit easier to get one server set up and save a snapshot of it.

Derokorian;11051077 wrote:

PS. The RCE thread for composer just made me happier that I'm not using it LOL

This will probably make you even happier, although it depresses me quite a bit. I started an issue on github saying php-opencloud should offer instructions about how to install without composer. The response is really disappointing:

jamiehannaford wrote:

The issue you referenced lists lack of package signing as the key security flaw (which I totally agree with). But I'm not sure manually installing the dependencies yourself would overcome this problem, since Github (nor any of the project owners to my knowledge) currently support this. Sure you could download via HTTPS, but that's only one part of the problem.

If you are determined to work around Composer, you would need to download all of the dependencies directly, verify them (not sure how you'd do this?), create your own PHP autoloader, and manually upgrade codebases every so often.

Despite the lack of package signing and dodgy TLS support, Composer still remains the de facto standard for package management in the PHP community. If users do not want to use the default package manager, they're more than welcome to install things according to their own preferences, but I don't think that's within the remit of this project or its documentation.

I interpret this as a mea culpa that the dev has prioritized convenience over security. Pretty worrisome when you're talking about something like php-opencloud.

Perhaps someone can help me interpret the dependencies in the project's composer.json file? There seem to be two sets of dependencies: one for production and the other for development. I still wonder what the little paths refer to: e.g., guzzle/guzzle? Anyone know anything about composer.json file formats?

sneakyimp;11051095 wrote:

Oh come now it's OK to use yum but not apt? Also, I would imagine that once you use either to install anything, your system is potentially compromised. Just curious what "non-primary application purposes" you might use it for.

I just have such a problem getting everything working with apt. Maybe its my inexperience with it, but I often can't get all the packages and modules and settings I need from apt. I find their custom builds just too bothersome for me to work with, since the base package doesn't come with the defaults included for most things I've tried. What I mean by that is, apt-get instlal php5 does not give me a php that is similar/compatible with ./configure && make && make install. I'm not sure why they REMOVE defaults, but this has been my experience that they do. Yum just has maintainers I like better I guess? Still I only use it for things like iptables, git, tmux, and syslog. Also yum list installed is much easier to remember than dpkg --get-selections | grep -v deinstall

sneakyimp;11051095 wrote:

Personally, I figure "apt-get install blah blah" saves me so much time I am just resigned to using it. There's also apt-get update and apt-get upgrade which will automagically update everything for me to whatever the busy team of package maintainers have managed to establish as the latest package (which is not always as recent as I would like).

If you disagree, perhaps you could share some of your recipe for setting up a server and keeping packages up-to-date? I also wonder if software updates have a tendency to break things. With cloud computing these days, it's a bit easier to get one server set up and save a snapshot of it.

Well ansible is probably the easiest to use, but I've shared my server scripts in previous threads. Feel free to search the forums

As for keeping it up-to-date, again I prefer to have the latest updates released by php and apache when available, instead of relying on package maintainers to MAYBE get updates. This is an especially important skill to have in my mind anyway, if you ever get to a point that your version of distro is no longer supported (we have servers running CentOS 5) and a critical bug is found (heartbleed) you damn well better be able to close that hole without hoping someone releases a package update to some public repository which isn't actively maintained.

Also, I absolute positively hate that I have to install like 20 packages in apt to get PHP to have the same modules as my build. While getting the same build by hand is simply copying the configure command which is easily retrievable from php -i.

Additionally, making a package for yum and hosting your own repository is pretty easy. AFAIK, its also pretty easy with apt, but I haven't made any attempt to try. As such, to get the same php and required dependencies all I do is install my repo by scping it from another box, then do yum install dero-php. Boom, YUM just used my hand built packages for php and apache, but things like gd and curl come from the official repository.

laserlight;11051115 wrote:

Unless you have personally checked the source code that you compile (and even then), once you install anything you did not write, your system is potentially compromised. I think it is reasonable to trust that official repositories are maintained by people that I can trust. Likewise for popular third party repositories (which is the case for some of my Python dependencies), with the idea that if the programmers behind them are malicious, they will get vilified and fired when discovered, so they have an incentive to be trustworthy.

+1 for "reasonableness". I think that's often forgotten these days.

Derokorian;11051109 wrote:

I'm not sure why they REMOVE defaults, but this has been my experience that they do. Yum just has maintainers I like better I guess?

Also, I absolute positively hate that I have to install like 20 packages in apt to get PHP to have the same modules as my build. While getting the same build by hand is simply copying the configure command which is easily retrievable from php -i.

Can't say for sure on apt. The FreeBSD Ports/Packages system has a base php install, and a php-extensions install. So I do:

pkg install lang/php5

and get a very basic PHP, followed by

pkg install lang/php5-extensions

where I get a dialog box that allows me to select my extensions (curl, bcmath, gd, whatever), and then installs all of them.

Perhaps apt is meant to do something like that?

For me, building my own packages actually is not at all about security. I think you're misunderstanding me. Its about controlling the package, and knowing what I'm getting. If I build php myself with my configure command, I know I'm getting the same PHP no matter what distro I build it on. Where as each distro has its own way of distributing PHP. For example, take a look at dalecosp's response. That's not at all how its done in apt or yum AFAIK.

The only thing security has to do with it, is I know I can get an updated patch the day it comes out, as opposed to whenever a maintainer updates a package. For me this was a big deal when the heartbleed non-sense was going on because I have a few OLD servers where packages are no longer maintained actively. While eventually I was able to revert to a yum package, for almost a month I was using a handle built version to close the hole of heartbleed....

My approach to easy builds is not to concoct some master build shell script to compile everything from source, but rather to set up one server using a cloud system (Amazon EC2, Rackspace, DigitalOcean), make an image of it, and then base future servers off this baseline image. It's been my experience that a raw linux distro has various problems that need solving other than installing the PHP/MySQL/Apache stuff. E.g., samhain for source monitoring, various configurations related to sending outgoing mail, iptables, etc. When a new server is fired up, upgrading it is a simple matter of apt-get update / apt-get upgrade. Sure, I don't get the latest bleeding edge versions of stuff, but it's been my experience that important patches (heartbleed) come quickly and I almost never have to wrestle or sort out any dependencies are wrangle any incompatibilities. I realize that I am putting my trust in the package managers, but I expect they are more experienced than I. I do worry late at night sometimes that Chinese and Russian hackers have compromised the repos, but I can usually stop worrying and go to sleep.

Now, back to the original topic. Composer sucks. You guys may or may not appreciate my attempt to get instructions from the php-opencloud group on how to install their software without using composer:
https://github.com/rackspace/php-opencloud/issues/634

sneakyimp wrote:

As for jumping straight to 5.6 for V2 -- any reason for that? EOL for PHP 5.5 hasn't even been announced yet.

It most certainly has, please see the time-table for php version support here: http://php.net/supported-versions.php According to this, 5.5 is in security updates only as of 2 months ago, and has roughly 9 months of security support remaining.

However, regarding the rest of the conversation - that's just a ****ty response. I've similarly shied away from JS libs because they only have instructions for using say gulp or something. I really wish people would understand not everyone wants to use the package manager they like....

Derokorian;11051133 wrote:

It most certainly has, please see the time-table for php version support here: http://php.net/supported-versions.php According to this, 5.5 is in security updates only as of 2 months ago, and has roughly 9 months of security support remaining.

I didn't see it listed here: http://php.net/eol.php
Was not aware of that other page. Good to know. Anyone else think the PHP devs are being a bit overzealous? Especially in light of this depressing chart purporting to describe the distribution of PHP versions actually installed out there:

Derokorian;11051133 wrote:

However, regarding the rest of the conversation - that's just a ****ty response.

THANK YOU. I totally agree and am more than a little irritated. Were the system I'm working on not so tightly bound to rackspace, I would take my business elsewhere.

Derokorian;11051133 wrote:

I've similarly shied away from JS libs because they only have instructions for using say gulp or something. I really wish people would understand not everyone wants to use the package manager they like....

Agreed. To me the issue is only partially about introducing some other litany of dependencies. It is perhaps more about the fact that those dependencies are developed by groups further and still farther removed. If you trust one package enough to install it, that trust must also extend to the all the other stupid packages upon which it depends.

sneakyimp;11051135 wrote:

I didn't see it listed here: http://php.net/eol.php.

Didn't know about this page, but I notice it only list things PAST their EOL. I went to the wayback machine and looked at this page for just before 5.4 was EOL and 5.4 was not listed ahead of time. https://web.archive.org/web/20150824020846/http://php.net/eol.php

That guy on Github wrote:

Composer still remains the de facto standard for package management in the PHP community.

Yeah this was what I was referring to. If you step foot in some PHP communities and admit you either a) don't use Composer or worse, b) don't use a package manager at all, the pitchforks and downvotes will be assembled in record time. In my opinion it hurts PHP and web development as a whole since no rational discussion can even begin to take place. I face the same problems admitting I use WordPress (WordPress is reviled in /r/php), and have even been told to remove it entirely from my resume if looking for a job (except for a WordPress-specific job, of course). It's straight up prejudice and just plain stupid.

Derokorian;11051133 wrote:

I really wish people would understand not everyone wants to use the package manager they like....

Agreed. I haven't used one before other than NPM, but that's only to install Less and UglifyJS on my system so PhpStorm can utilize them. If I want to use jQuery I either just download it from their site or take a copy of the .js file from another project and drop it in my includes folder of my current one. I'm not suggesting they don't have their purpose or benefits, but not providing a way to use your library or resource without the use of a package manager is just poor decision making.

sneakyimp;11051135 wrote:

Anyone else think the PHP devs are being a bit overzealous?

Yes, though from a personal standpoint I love it. New features, performance improvements, security patches. Awesomesauce. From just about every other perspective, it's a ticking time bomb.

From everything I have read it's a problem in PHP overall and it's getting worse as time goes on. Some people blame the PHP developers, some people blame hosts, some people blame users, others have no idea who to blame they just like to be loud.

It's becoming more and more of an issue with WordPress installations since there are so many of them and no one seems to update (their PHP version). When I got this job 4.5 years ago and started using WordPress it was right around then they had raised the minimum PHP version to 5.2. They also raised the minimum MySQL version but I don't recall the version. Anyway, from what I have read in recent discussions on their Trac site, even raising the minimum to 5.2 broke a lot of sites. There was a recent conversation I read that even got a little heated between plugin developers and the WordPress developers about a plan about the future and raising the minimum to... anything, at this point. The word is there is zero plan about the future, and zero plans to raise it anytime soon. Doing so, in the WordPress developers' eyes, would be too catastrophic and would break too many sites. The only good news is, according to their own stats, the numbers of WordPress installations running on 5.3 and lower is decreasing, though I guess not fast enough.

The big issue that keeps coming up is plugin developers are using newer and newer techniques that require higher PHP versions. Even using namespaces (version 5.3) has become an issue since there are numerous installs still on 5.2 or lower. I have found using array dereferencing (my favourite and most-used feature in a long time) constantly breaks sites because it requires 5.4, and all too often we end up dealing with a host that has 5.3 installed. Sometimes we can change the version, but it depends on the host.

I don't know what the solution is. I just know I want to use PHP 7 sooner rather than later because it is chalk full of improvements that would useful to me in my daily work. Null coalescing operator? Yes please! Goodbye tiresome ternary statements. Spaceship operator (officially known as combined comparison operator)? Yes please! Custom sorting functions can be taken care of in a single line of code. A ridiculous improvement in performance? Yes please! I just have to wait until 2025 to use it.

Bonesnap;11051139 wrote:

Yeah this was what I was referring to. If you step foot in some PHP communities and admit you either a) don't use Composer or worse, b) don't use a package manager at all, the pitchforks and downvotes will be assembled in record time. In my opinion it hurts PHP and web development as a whole since no rational discussion can even begin to take place. I face the same problems admitting I use WordPress (WordPress is reviled in /r/php), and have even been told to remove it entirely from my resume if looking for a job (except for a WordPress-specific job, of course). It's straight up prejudice and just plain stupid.

I can appreciate the motivation behind composer, but I think its primary effect is dependency bloat, which leads to a whole slew of maintenance problems that the package manager is supposed to solve. For example on php-opencloud, the dev relied on guzzle to develop rather than concocting his own curl statements or code. Since guzzle has been deprecated, they need to upgrade which the devs admit "is a big task". The latest version of php-opencloud has even more dependencies. I think composer ends up being a bit of a boondoggle for amateurs who think they will save time. Still, I'm curious about it. I'm curious to know why the young zealots think it's so helpful. Perhaps it's a useful tool in the hands of a good dev, but for bad devs it's just enough rope for them to hang themselves.

As for WordPress, I must admit that I hate working with it. I can totally appreciate the need for and motivation behind a CMS, but I've always found WP to be hard to work with -- really opaque in its coding style. I think it's a valuable skill. I'm not sure how I'd feel seeing it on a resume. On the one hand my coding partners have a great need for WordPress skills -- a lot of clients have installations. On the other hand, I'm kind of a snob about development and might be suspicious that someone who's a WordPress pro perhaps never felt the call to move to bigger & better things. You are clearly hearing that call.

Bonesnap;11051139 wrote:

Agreed. I haven't used one before other than NPM, but that's only to install Less and UglifyJS on my system so PhpStorm can utilize them. If I want to use jQuery I either just download it from their site or take a copy of the .js file from another project and drop it in my includes folder of my current one. I'm not suggesting they don't have their purpose or benefits, but not providing a way to use your library or resource without the use of a package manager is just poor decision making.

JQuery is amazing. Just drop it in. Bootstrap also offers great advantages if you just drop it in. I've yet to bite on less and that other stuff. Any package-managing ecosystem (apt, yum, npm, composer, etc.) seems to be its own kind of ecosystem. I think it's ironic that the dependency-managing package managers themselves become a dependency at some point. Which to learn and which to kick to the curb?

Bonesnap;11051139 wrote:

Yes, though from a personal standpoint I love it. New features, performance improvements, security patches. Awesomesauce. From just about every other perspective, it's a ticking time bomb...

I wonder if perhaps this is part of the life cycle of all coding ecosystems? Microsoft became a vast behemoth because of its wide adoption and popularity. Then MS gets bogged down trying to support windows XP for like 20 years and when they finally decide to upgrade from VB6 to .NET then they TOTALLY SCREW all those companies that used VB6 to code their company's solution. I worked with a small fruit processing factory that had invested years in VB6. When MS dropped support for it, they had to rewrite the entire code base. It took over a year I think and lots of money.

You see similar situations in other ecosystems: Android has splintered into a million variations. You'd think old languages die but there are still COBOL jobs and FORTRAN jobs out there to maintain ancient code.

I sort of imagine code like a lawn. It grows crazy and wild over time and you have to work to prune it and keep it tidy or it will destroy your house.

Some more synergistic magic from my interaction with rackspace. I called them to try and find out what distros+versions of linux they offer for their Cloud Servers (the versions they offer are confusingly not displayed anywhere on their website). I eventually called them and it took about 15 minutes to get the info, mostly on hold, the other half bickering with the sales people who were trying to get any account credentials I might have had. This gem is apparently in response to an email I sent to try and get that info:

Hi [sneakyimp],

Wanted to reach out and see if we can push the ball forward on your project.

I am the Business Development Consultant for your account here at Rackspace and I want to make sure we get an engineer on the line so we can architect some infrastructure to fit the scope.

Let me know what time works for you early next week and we can hop on my conference bridge.

Thanks,
[name redacted]

This guy clearly didn't read the email I sent in which I described that we already used them for our project, along with various other details.

WTF is a "conference bridge?"

Anyways, it would seem that Rackspace is certainly growing. They are starting to give off that impersonal vibe you get from AT&T or Comcast or something.

sneakyimp;11051159 wrote:

the dev relied on guzzle to develop rather than concocting his own curl statements or code. Since guzzle has been deprecated, they need to upgrade which the devs admit "is a big task".

Because writing a class around curl is such a big undertaking that I would rather use an existing project... oh wait...

sneakyimp;11051159 wrote:

As for WordPress, I must admit that I hate working with it. I can totally appreciate the need for and motivation behind a CMS, but I've always found WP to be hard to work with -- really opaque in its coding style. I think it's a valuable skill. I'm not sure how I'd feel seeing it on a resume. On the one hand my coding partners have a great need for WordPress skills -- a lot of clients have installations. On the other hand, I'm kind of a snob about development and might be suspicious that someone who's a WordPress pro perhaps never felt the call to move to bigger & better things. You are clearly hearing that call.

I feel very much the same. When I tried to get into wordpress I just felt like the code was too much of a mess for me to bother spending all my time learning. Knowing how to work with WP is a skill in and of itself, and while I won't discount someone's intelligence for working with WP - I may doubt their high end coding skills. Albeit not enough to avoid talking to them, in the end - you can't just a book by its cover or a developer by their resume (you can make assumptions, but they may be very poor assumptions).

sneakyimp;11051159 wrote:

JQuery is amazing. Just drop it in. Bootstrap also offers great advantages if you just drop it in. I've yet to bite on less and that other stuff.

Do it! Learn less. Combined with bootstrap (which provides many less variables) you can find yourself writing FAR less verbose styling.

sneakyimp;11051159 wrote:

Any package-managing ecosystem (apt, yum, npm, composer, etc.) seems to be its own kind of ecosystem. I think it's ironic that the dependency-managing package managers themselves become a dependency at some point. Which to learn and which to kick to the curb?

I guess we should make an effort to learn any PM directly related to the software we use. another problem I have with composer, is that I can manage dependencies with git itself, and the use of submodules. So why can't something on github just define the submodules it needs, and if I need it, I'll define a submodule? Checkouts can happen recursively for defined submodules... I often wonder why this isn a feature of git NO ONE uses....

sneakyimp;11051159 wrote:

I sort of imagine code like a lawn. It grows crazy and wild over time and you have to work to prune it and keep it tidy or it will destroy your house.

Derokorian;11051169 wrote:

Because writing a class around curl is such a big undertaking that I would rather use an existing project... oh wait...

OK yeah ouch. NO, I don't want to go and comprehend the OpenStack API to the extend I can write my own curl statements, even though I feel like I'm pretty good at writing curl code in PHP. My client doesn't want that either. It's my personal opinion that relying on some clown's now-deprecated abstraction of curl is a totally unnecessary dependency. Abstracting a cloud api, on the other hand, seems like a not just a necessary dependency, but also a good idea. My business logic should be isolated from the details of the HTTP interactions.

Derokorian;11051169 wrote:

Do it! Learn less. Combined with bootstrap (which provides many less variables) you can find yourself writing FAR less verbose styling.

I don't really do much styling. I've got a tin ear (a tin eye?) for design and usually make it clear that if people want a site to look nice they'll need someone who is good with the colors and fonts. I've known for some time that my judgement in this realm leaves something to be desired and have tried to steer my skillset toward other things...mostly backend type stuff (cloud backend, performance, encryption, multithreading, multi-node architectures). Not sure how much success I've had...

Derokorian;11051169 wrote:

I guess we should make an effort to learn any PM directly related to the software we use. another problem I have with composer, is that I can manage dependencies with git itself, and the use of submodules. So why can't something on github just define the submodules it needs, and if I need it, I'll define a submodule? Checkouts can happen recursively for defined submodules... I often wonder why this isn a feature of git NO ONE uses....

I should be more receptive to PMs and tools. I always hate and resist and then end up using them anyway. I'm not familiar with this git feature. Do tell?