Adding `composer.lock` in VCS ?

Question

Adding `composer.lock` in VCS ?

drupol opened this issue 6 months ago · comments

Hi there,

I'm writing to suggest an enhancement for this project to improve its integration and ensure long-term reliability, particularly for package managers like apt, rpm, yum, nix, etc.

The primary goal here is to enable reproducibility of the exact build of the PHAR released, down to the last bit. This is crucial, especially when distributing it as a binary, for reasons of reliability and security.

To achieve this, I propose adding a composer.lock file to this repository. This file will ensure that phpmd is reproducible on any system, regardless of environmental differences, by locking down specific versions of dependencies. Its absence currently hinders the ability to precisely replicate the builds you provide in your GitHub releases, introducing potential variability.

For reference, here are some projects that have recognized the value of versioning the composer.lock file:

If there are concerns about including the composer.lock file in the main repository, could it be an option to add it to the release artefacts on GitHub instead? This compromise would still greatly benefit reproducibility and consistency in dependency management.

Thank you for considering this enhancement. I look forward to your response.

Tobias van Beek · Answer 1 · Fri Feb 23 2024 18:28:23 GMT+0800 (China Standard Time)

Hello @drupol

Thanks for the issue! We support a wide range of PHP versions, that makes it impossible to add the composer.lock file to the repository.

But adding the used version to the PHAR file should be an option.

Pol Dellaiera · Answer 2 · Fri Feb 23 2024 18:33:53 GMT+0800 (China Standard Time)

Hello !

How about just shipping the composer.lock file along with the PHAR file, as an artefact?

It would definitely be a great option (and probably the cheapest) to ensure anyone to be able to reproduce the PHAR file.

What do you think?

Anders Jenbo · Answer 3 · Fri Feb 23 2024 19:45:41 GMT+0800 (China Standard Time)

But adding the used version to the PHAR file should be an option.

Pol Dellaiera · Answer 4 · Fri Feb 23 2024 19:46:41 GMT+0800 (China Standard Time)

But this would make things harder to replicate the PHAR then. Just shipping the composer.lock is simple and easy so we can reuse it "as-is" !

Pol Dellaiera · Answer 5 · Tue Feb 27 2024 05:58:35 GMT+0800 (China Standard Time)

Thank you for including the Composer files in the PHAR !!!!