Composer? Really? #1005
Comments
|
Hi @derStephan ! I know that this way would make installing sysPass a bit more difficult, but be aware that sysPass v3 will require more dependencies which implies to manage their own lifecycle to keep them updated and secured. The better approach on managed hosting, is to download sysPass, install its dependencies and the upload from your PC using an FTP client or whatever you want. Btw I'll analyze how to install them from sysPass UI, but it would be done in later releases. Regards |
If this is the plan, then you should write an extensive how-to for Windows and linux. Point is, that is makes the process much more complex. I think, this will lead to a number of users that won't do the upgrade.
That would be great! |
Sure, it will be well documented. Going back to the reason, keep in mind that some dependencies like Regards |
I can't see the problem with releasing minor versions - in the contrary. If you do not publish a new version, then the user may not even know that there is a security problem with his/her installation. And if this is on a shared hoster then there is no automated update by composer. In my opinion, your new approach makes life much worse regarding security and maintainability, |
|
@derStephan right it could be an option, but since there are many dependencies than these two it could be a mess to update them releasing a new sysPass version whenever they are updated. I'd rather rely on GitHub based notifications, which could be displayed through the application. Regards |
|
You'd rather? They could be displayed? Sorry, I am not convinced. I am afraid that you replace one evil with another. We'll see. Thanks for your time. |
|
Please don't be concerned about this way, I'll provide a bundle with all dependencies included on every release. Thanks for the feedback! |
|
Hi, I will be installing this on a machine without internet access, but with access to ubuntu repos. For the initial install, I could rely on the bundle as you stated above. However, as soon as a security issue is found with a sub-dependency, then I will have no way of knowing. For syspass itself, the plan is to regularly visit github to check for new versions. If syspass could rely on the system packages, then the package manager would keep those updated. Since this software is very security sensitive, I figured that other people would be installing it on offline boxes as well. Is there anything I can do to reduce the number of dependencies? Regards |
It seems that increasing the number of dependencies is the whole point of sysPass3. Why would anybody use the modern and trendy composer without a high number of dependencies? Thus, any modern, trendy application needs a lot of dependencies. And using composer for any kind of webapplication is necessary these days, right? Everybody does that, right? It's state of the art, right? If your app does not use all of the fashionable cool new stuff then it dies quicker than you can say quidditch. 🤣
My point exactly. When it comes to security, you should always follow the kiss-principles. Very little complexity is the key. Using the standard openssl-libraries which ship with the standard PHP-installation was a good choice for sysPass 2.1. Keeping php up to date is simple and normally done by the operating system. Nothing to worry about for the normal user - regardless if he is on a shared hoster or not. Replacing these standard libraries with anything else is a huge step back, in my opinion. |
|
You're right, I didn't want to bloat this software with those dependencies, but as you said, almost every piece of software relies on a package manager, which would keep it up to date as soon as a new fix is released. I thought on managing through the distribution package manager, but it could be really tough, since not every package would be packaged into the distribution. Regarding the KISS principle, relaying on external dependencies is the way to not couple the application with a concrete dependency, since some components could be replaced by others using a shared interface (see PSR standard). sysPass v2 relies on some dependencies like php-encryption or phpmailer, which need to be bundled within sysPass. This version implements some new principles that would make it more coding friendly so other developers could either fix or extended any functionality with a brief overview to the code. And yes, package management is the state of the art on software development (see Linux distro success history). Regards |
But you are not relying a standard package manager that ships with the common *nix distributions. You are relying on a third party program, which is normally not available an shared hosters and won't work when it comes to intranet-servers without internet connections.
I agree with that, This will be impossible to achieve.
I see your point. But I think, adding more libraries will not keep anything simpler. It may make YOUR life as developer simple. But it will not make you program any simple - in the contrary.
Right. You could have tried to get rid of these dependencies and use the build-in functions of a standard PHP-installation.
That's my point. It is easier and simpler for you. But the result is not. How could it be? You exchange some kB of your old code by some MB of libraries + some kB of new code from you.
Well, it may be in vogue to do so. But just using the latest cool stuff does not mean that this benefits every use case.
Well, a linux package manager is available on all common distributions out of the box. That's why this is a success story. There may be a time when composer is part of the standard LAMP-Stack and all I have to do is download your software only and all dependencies are fetched on first page load automatically. When this time comes then I will happily use it. But as long as this is not the case, it won't be a success story comparable to the *nix package managers. Ruben, please don't take this as an offence. It is really not. I appreciate your work. But I am in fear that the current road leads to a high number of users that can not use sysPass any longer as I expect that you won't maintain sysPass 2.1 after the next stable release. |
|
Yes, I catch your points, and I really do take this as a constructive complaint. Just note that composer is bundled in the most restrictive distro, Debian, so it should be available on any derivatives. Another key point, what we can do with package' dependencies?. sysPass will need to provide every package dependencies, so it would be a really mess. Regarding the use of PHP standard functions, it would be really a pain since I'll need to code every use case from scratch, and I think it could be better done by other developers who are focused and have a better knowledge on their scope. And worth to mention the time it could take...so divide and you win. I'd like to get a balance between all of this stuff. Thanks for your feedback! |
|
Hi again, If the most important dependencies are of the sort that is nearly always shipped in the distribution, then I could either disable some functionality that relies on more unknown dependencies, or maybe feel better about it going a bit out of date.. What I'm most afraid of is if core dependencies end up being managed by composer, in that case the installation will go out of date quickly in my scenario... If the software can work as long as the dependencies are installed, then it could be up to the user to either use composer or find a package in their distribution. This would be really helpful for me and I'd be happy to contribute to that end :) |
|
Sorry about being brief, I'm writing from my smart phone while traveling in a bus on vacation ;) |
Right. And how do I use that on my shared hoster?
I see. But as we discussed before, you could update the dependencies on your machine and upload everything together here in regular intervals as minor releases.
I could not agree more. But you should really be careful when to divide. Has there been any security issue with
Woah! Sorry, pal. Did not want to spoil your holidays. Have a nice trip. |
|
@derStephan no worries, hopefully I'll be back with new ideas about sysPass! Thanks |
|
Hi Ruben, do you know this service? You can download complete packages with all dependencies there without using composer. That could be a solution for your problem. But I can not find syspass there. Do you know why? |
|
Hi @derStephan No I didn't, it seems useful. I'm moving some projects into packagist in order to publish them as a composer package. First of all has been Authenticator plugin, which can now be installed on sysPass v3 through composer. sysPass v3 core will be published shortly. Thanks for the notice! Regards |
|
Just read in #1137, that sysPass v3 is no longer beta. I could not recognize that from the releases page but that's not the point of concern here. May I ask again about installing sysPass on a shared hoster without ability to run composer? How should that work for the majority of users? Im november, I pointed to php-download.com which may be the solution, but I sill can't find it there. And if we use this service, then we have to ask if we want to trust a 3rd-party webservice when it comes to management of our passwords. Sorry, @nuxsmin. But the longer I think about it the less I like it. Your software is supposed to handle the most confidential and sensitive information of your users. There is quite some confidence each and everyone of us puts in you. I hope that you are aware of that. But with the new system, we have to trust not only you but all the projects you depend on as well as the complete composer-system. And those poor people with simple shared hosting have to trust yet another system which may or may not inject backdoors at any time. I would really appreciate if you just offered complete packages with all the necessary dependencies. Of course, my initial statement still stands. In my opinion, you should not have added any dependencies in the first place. There is openSSL in any decent PHP installation. You should have sticked to that but I know that it is too late for this discussion anyway. |
|
Hello @derStephan As I pointed before, a dependencies bundle will be released in order to deal for hosted instances, so there wouldn't be needed to run composer.
Using the dependencies bundle it won't be needed. I've just released v3 and demo site was deployed by this method, since there isn't any console access... I'm working on an unattended solution to deliver the bundle, so it would be ready shortly.
Unfortunately there are many other dependencies like dependency injection containers, routing, polyfills, RSA encryption, etc. and as pointed, they have also many other dependencies. Regards |
|
Hi Ruben,
Any news on that? |
|
@derStephan sorry for the delay... I've just uploaded the dependencies binaries to the latest tag https://github.com/nuxsmin/sysPass/releases/tag/3.0.5.19020701 I'm currently analyzing howto automate it in a secure way, so no manual uploads would be needed. Here is the script used: https://gist.github.com/nuxsmin/0b564e2bfd6b360538dfb2cf3240ffbb Regards |
That is a bash-script. That is not what I hoped for. To run that, you need a linux machine. And as there is no documentation, I don't know what to do afterwards. May I remember, how syspass was installed before v3? Download a bunch of files, upload them via FTP to your hoster, run install.php, done. Anything more complicated than that won't work for the majority of users out there. Those users with cheap shared hosting contracts. Those users that understand how to use FTP but have no clue about Linux or docker.
Did this already happen? Obviously, it is no official package yet, as it can not be found here: |
|
@derStephan that script is the one used to generate the bundle, and not intended to be ran on the hosted machine. You only need to download the dependencies bundle from the releases page and upload to your hosting by FTP or whatever, among the sysPass code. By this way you get the same code as used to have in previous releases. Regards. |
Oh, I did not see that there is a vendor.tar.gz. Thank you for that. Maybe you should give some advice here: https://doc.syspass.org/en/3.0/installing/hostingmode.html So how does an upgrade from v2 using this bundle? |
|
Done 😉
Unpacking and doing a normal upgrade. Regards |
Hi Ruben,
I just read, that composer is mandatory for installing sysPass 3. What is the plan for the majority of people out there which are running on simple shared hosters without SSH?
Why do you add this level of complexity? This way, the unexperienced user will fail to install.
What is the problem of keeping installation as easy as before?
Regards
Stephan
The text was updated successfully, but these errors were encountered: