Mailing List Archive

On Fri, Jun 30, 2023 at 12:47?PM Sam Reed <reedy@wikimedia.org> wrote:
>
> As per the MediaWiki version lifecycle[1], I would like to announce the formal end of life (EOL) of MediaWiki 1.38 as of today, Friday June 30, 2023.
>
> 1.38.7 is expected to be the last release for this branch.
>
> This means that MediaWiki 1.38 will no longer receive maintenance or security backports. It is therefore strongly discouraged that you continue to use it.
>
> It is recommended to upgrade either to MediaWiki 1.39 (LTS), which will be supported until November 2025 or to 1.40 (released today), which will be supported until June 2024.

Is there a path available to folks who use MW 1.38 and have hosting
providers that only offer Ubuntu 20.04 with Composer 1? My testing
revealed we could not update to MW 1.39 because of the Composer 2
requirement.

I think our options are... we need to wait until our hosting provider
offers Ubuntu 22.04, or MediaWiki drops the Composer 2 requirement for
MW 1.39.

It is an uncomfortable position to be in.

Jeff
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/

You could install composer from its official website instead of using the
system package manager. It can be downloaded as a single .phar file.

--
Brian

On Fri, Jun 30, 2023 at 11:42?AM Jeffrey Walton <noloader@gmail.com> wrote:

> On Fri, Jun 30, 2023 at 12:47?PM Sam Reed <reedy@wikimedia.org> wrote:
> >
> > As per the MediaWiki version lifecycle[1], I would like to announce the
> formal end of life (EOL) of MediaWiki 1.38 as of today, Friday June 30,
> 2023.
> >
> > 1.38.7 is expected to be the last release for this branch.
> >
> > This means that MediaWiki 1.38 will no longer receive maintenance or
> security backports. It is therefore strongly discouraged that you continue
> to use it.
> >
> > It is recommended to upgrade either to MediaWiki 1.39 (LTS), which will
> be supported until November 2025 or to 1.40 (released today), which will be
> supported until June 2024.
>
> Is there a path available to folks who use MW 1.38 and have hosting
> providers that only offer Ubuntu 20.04 with Composer 1? My testing
> revealed we could not update to MW 1.39 because of the Composer 2
> requirement.
>
> I think our options are... we need to wait until our hosting provider
> offers Ubuntu 22.04, or MediaWiki drops the Composer 2 requirement for
> MW 1.39.
>
> It is an uncomfortable position to be in.
>
> Jeff
> _______________________________________________
> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
>
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/

On Fri, Jun 30, 2023 at 3:04?PM Brian Wolff <bawolff@gmail.com> wrote:
>
> You could install composer from its official website instead of using the system package manager. It can be downloaded as a single .phar file.

Thanks Brian.

We don't want to switch hosting providers or download third party
stuff. In the case of Composer, we don't have the expertise to
evaluate it. Hence we rely on the distro.

(I personally don't trust Composer because it is willing to run
arbitrary code. It's very sloppy in its security practices).

Jeff

> On Fri, Jun 30, 2023 at 11:42?AM Jeffrey Walton <noloader@gmail.com> wrote:
>>
>> On Fri, Jun 30, 2023 at 12:47?PM Sam Reed <reedy@wikimedia.org> wrote:
>> >
>> > As per the MediaWiki version lifecycle[1], I would like to announce the formal end of life (EOL) of MediaWiki 1.38 as of today, Friday June 30, 2023.
>> >
>> > 1.38.7 is expected to be the last release for this branch.
>> >
>> > This means that MediaWiki 1.38 will no longer receive maintenance or security backports. It is therefore strongly discouraged that you continue to use it.
>> >
>> > It is recommended to upgrade either to MediaWiki 1.39 (LTS), which will be supported until November 2025 or to 1.40 (released today), which will be supported until June 2024.
>>
>> Is there a path available to folks who use MW 1.38 and have hosting
>> providers that only offer Ubuntu 20.04 with Composer 1? My testing
>> revealed we could not update to MW 1.39 because of the Composer 2
>> requirement.
>>
>> I think our options are... we need to wait until our hosting provider
>> offers Ubuntu 22.04, or MediaWiki drops the Composer 2 requirement for
>> MW 1.39.
>>
>> It is an uncomfortable position to be in.
>>
>> Jeff
>> _______________________________________________
>> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
>> To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
>> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/

You could just not use composer in that case. MediaWiki core doesn't really
require it (You can use the tarball vendor or mediawiki/vendor.git repo
instead). There's maybe a couple of extensions that strongly encourage its
use, but they are in the minority.

Ultimately composer is a package manager, running arbitrary code (whether
directly or indirectly) is kind of the point.

On Fri, Jun 30, 2023 at 12:13?PM Jeffrey Walton <noloader@gmail.com> wrote:

> On Fri, Jun 30, 2023 at 3:04?PM Brian Wolff <bawolff@gmail.com> wrote:
> >
> > You could install composer from its official website instead of using
> the system package manager. It can be downloaded as a single .phar file.
>
> Thanks Brian.
>
> We don't want to switch hosting providers or download third party
> stuff. In the case of Composer, we don't have the expertise to
> evaluate it. Hence we rely on the distro.
>
> (I personally don't trust Composer because it is willing to run
> arbitrary code. It's very sloppy in its security practices).
>
> Jeff
>
> > On Fri, Jun 30, 2023 at 11:42?AM Jeffrey Walton <noloader@gmail.com>
> wrote:
> >>
> >> On Fri, Jun 30, 2023 at 12:47?PM Sam Reed <reedy@wikimedia.org> wrote:
> >> >
> >> > As per the MediaWiki version lifecycle[1], I would like to announce
> the formal end of life (EOL) of MediaWiki 1.38 as of today, Friday June 30,
> 2023.
> >> >
> >> > 1.38.7 is expected to be the last release for this branch.
> >> >
> >> > This means that MediaWiki 1.38 will no longer receive maintenance or
> security backports. It is therefore strongly discouraged that you continue
> to use it.
> >> >
> >> > It is recommended to upgrade either to MediaWiki 1.39 (LTS), which
> will be supported until November 2025 or to 1.40 (released today), which
> will be supported until June 2024.
> >>
> >> Is there a path available to folks who use MW 1.38 and have hosting
> >> providers that only offer Ubuntu 20.04 with Composer 1? My testing
> >> revealed we could not update to MW 1.39 because of the Composer 2
> >> requirement.
> >>
> >> I think our options are... we need to wait until our hosting provider
> >> offers Ubuntu 22.04, or MediaWiki drops the Composer 2 requirement for
> >> MW 1.39.
> >>
> >> It is an uncomfortable position to be in.
> >>
> >> Jeff
> >> _______________________________________________
> >> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> >> To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
> >>
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>