reopen #7730 #7838
Comments
|
try |
|
As said, I prefer a git installation (without composer). What's wrong with that? Also tried which also gives me the error for 2.13.0. |
diosmosis
added
the
answered
|
composer is used to manage third party dependencies. These dependencies do not exist as git submodules, if you don't use composer you won't be able to use Piwik with git. Note: these dependencies are included in the piwik.org distribution (http://builds.piwik.org/piwik.zip), so you can use that instead of using git. FYI, closing since the problem is known and the solution is to use composer, as it is required to use it. You can still comment in the ticket if you need further support related to this issue. We'll still get notifications even if it is closed. |
|
Ok, as long as it is documented, that git install via submodules is not supported, the ticket can be closed. Thanks. |
In general it is risky to use a git installation in production. For example in our latest BTW: Piwik via git is documented here (including composer) and also that we do not recommend to use it in production http://piwik.org/faq/how-to-install/faq_18271/ |
|
I'd just like to avoid updating piwik via GUI for security reasons (nevertheless this is perfect for average individuals, also for security reasons). Don't get me wrong, I like composer a lot. However, the git repository of piwik contains a bunch of submodules which basically contradicts the concept of composer (two concepts for the same thing). Downloading zip-files and unpacking them somewhere requires me to manually check checksums from a trustworthy source. Plus, I need to trust packaging and software rollout process. I like the concept of adding -dev composer packages which are only needed by developers. And I like the concept of a very minimal installation git repository, which basically contains the composer package information for installation and update. Git submodules would not be needed that way. That's what I think is perfect: git-checkout the latest version, and do a composer-install (which updates composer packages to the latest git-tagged version). At least if composer is performing a trustworthy check of package checksums (is it?). A project which is as large as piwik, plus handling very interesting data for some organizations, needs to have a trustworthy software packaging and rollout process. It must be at least as secure as debian's apt, including being safe against man-in-the-middle attacks. |
|
True, we had such discussions already in #6605 and #6757 . We'd like to get rid of git submodules but it's not that easy as we have different requirements / workflows. I'm not sure if composer is performing a trustworthy check of package checksum. I know it does a checksum check, but I do not know whether it is trustworthy. Did you know you can install Piwik via |
|
Debian third party repositories are really dangerous, as the maintainer could update any package. Packaging a debian package myself just for me looks pointless to me. A trustworthy maintainer could provide an up-to-date package to the official debian repository, but as far as I know, up-to-date software is not allowed in stable repositories (debian people like it outdated). I think this is pointless for a project which is under heavy development - everybody wants the very latest production version here. I made my experiences with TYPO3 CMS and official debian repositories. The result would be a broken, insecure and totally outdated installation. In the end, we go back to tarballs and patches... That's what git was made for (plus, for checking integrity!). That's what composer was made for. Better get away from .zip and .gz as quick as you can. |
|
Btw, I have very good experiences with composer's require-dev section, which is described in #6605. That's the way to go... |
please reopen #7730, as this is not solved.
The text was updated successfully, but these errors were encountered: