[Vtigercrm-developers] Let's make 7.4 fruitful

Błażej Pabiszczak b.pabiszczak at yetiforce.com
Fri Oct 2 09:01:05 GMT 2020


The benefits are huge, I can't imagine a PHP/JS project without using: 

 	* composer [php]
 	* yarn [js]
 	* package

Why? 

 	* Achieving an order is the most important argument, each library is
described [eg: version number] - currently, there are many duplicate
libraries, eg jquery can be found in about 10 places in different
versions, which means no one controls it.

	* Security [library analysis] - currently there are hundreds of free
tools, such as:

 	* https://david-dm.org/YetiForceCompany/YetiForceCRM - it checks 70
libraries in our project and verifies whether they are up-to-date and
whether there is a known vulnerability, e.g. it informs us that a new
full calendar version has been released and that the gridstack library
is no longer supported by the producer in the version currently used by
us.
 	* https://depfu.com/github/YetiForceCompany/YetiForceCRM - checks 66
libraries [including many not supported by david-dm] and shows that we
have to update 8 libraries.
 	*
https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies
- the GitHub tool can be used as it provides the quickest information on
vulnerabilities.

 	* Security [static code analysis] - we can not only verify our own
code but also the related libraries code, there are plenty of free tools
for open source projects.
 	* Licensing - allows to generate license dependency reports for
third-party libraries [it can be verified whether any library uses a
license that is incompatible with ours], license scanners are free for
open source projects.

Most of the security errors related to code quality, duplicated code,
malicious code, obsolete libraries are caused by the fact that the code
was not organized using composer/yarn/package, which are the basis for
most security tools. When you look only from your perspective [I have
one module and I use 2 libraries], it makes no difference for you
whether you use composer or not, but we currently use over 150 third
party libraries, and it is impossible to manage them and take care of
security without tools that verify it for us. 

Organizing libraries is a very important and necessary step, but
remember that it is probably the most difficult thing to do, because it
took us three months to upgrade from Bootstrap 3 to Bootstrap 4 [while
migrating some of the libraries used didn't work for version 4.4 and a
very large part of the code had to be rewritten] and then for 9 months
we had been stabilizing the application. The same applies to jQuery,
which needs to be updated to the latest version and "force" the other 10
libraries to use one common library. These are such profound changes
that if the producer does not perform them, you will irretrievably
separate the on-demand version from the community. If the producer
decides to update libraries, then it will take several months [just like
with Vtiger 6]. If the producer updates only the on-demand version and
doesn't update the community, then we can talk about abandoning the
project just like SugarCRM did. 

Vtiger will certainly do it. The only question is when - whether they
will do it now when there is still time for it, or rather when it
attracts media attention.

--

Z poważaniem / Kind regards 
Błażej Pabiszczak 
CEO & Co-Founder at YetiForce 
+48 884 999 123 | b.pabiszczak at yetiforce.com 

W dniu 2020-10-02 09:13, Martin Allen napisał(a):

> * Package dependencies are managed within composer itself e.g. Pear DB package is available in Composer (yes I know it's been superseded already by MDB2 but its an example) and is dependent on other Pear packages, except as developers we don't need to worry about those other dependencies as they are automatically handled.
> * Package updates can be handled very simply without the need to download the entire CRM again, so if a security issue is identified in for example Pear DB, in a couple of minutes it can be updated (in a non-breaking fashion because all packages adhere to semantic version numbering) - problem solved.
> * As Alan mentioned the autoload.php, which on a production environment is optimized for increased speed. 
> * Using PSR-4 Namespaces and the autoload.php makes packages available application wide simply with the 'use' namespace syntax. (How many times have you gotten frustrated because include statements don't work as intended!)
> 
> Yes there would be some complications around custom modules requiring other dependencies - I believe there are ways of calling composer to run composer commands as part of an installation script - this would need some further investigation though. 
> 
> One of the biggest questions that needs to be answered is the intended audience for vTiger CRM going forward. Is it going to be designed for simple one-click install applications that anyone can download, or is it intended for technical/developer types who know/understand how to manage Composer installs / updates?  
> It would be possible to use Composer as part of the development process and then include the /vendor contents and everything else required inside the single ZIP download still. This would allow those who do not understand / have access to Composer to get SOME of the benefits but for those that do have access/knowledge can get ALL the benefits ? 
> 
> Martin Allen 
> 
> 01392 248692 - Main Office
> 01392 690659 - Direct Line 
> 
> Have you visited our website recently? http://www.clystnet.com [1] 
> 
> The information in this email is confidential If you are not the intended recipient, you must not read or use that information. This email and any attachments are believed to be virus free however no responsibility is accepted by Clystnet for any loss or damage arising in any way from receipt or use thereof. Clystnet Ltd (company reg number 7164503) is based at Silverdown Park, Fair Oak Close, Clyst Honiton, EX5 2UX 
> 
> On Thu, 1 Oct 2020 at 23:44, nilay khatri <nilay.spartan at gmail.com> wrote: 
> What I feel is that we can really do better dependent library management using composer. 
> 
> The autoloader could be included in the Vtiger's Loader file. 
> 
> The challenge would be if a custom module needs a library which is not included as default, so then how do we package the extension.. 
> 
> On Fri, Oct 2, 2020 at 1:04 AM Alan Lord <alanslists at gmail.com> wrote: For an old idiot like me, please could someone explain what the actual 
> *benefits* of implementing composer in vtiger would be?
> 
> I've made several modules for customers which require the weird 
> namespace syntax and stuff and I have found that this is very trivial to 
> support by creating an "AutoLoader" in my module and simply including 
> it, e.g.
> 
>> namespace PhpOffice;
>> 
>> spl_autoload_register(function ($class) {
>> if (substr($class, 0, strlen(__NAMESPACE__)) != __NAMESPACE__) {
>> //Only autoload libraries from this package
>> return;
>> }
>> $path = substr(str_replace('\\', '/', $class), 9);
>> $path = 'modules/LSMyCustomModule/resources/PhpOffice' . $path . ".php";
>> if (file_exists($path)) {
>> require $path;
>> }
>> });
> 
> Maybe I am missing some of the other benefits, but I would like to know 
> what benefits this would bring and how it would make my life easier?
> 
> TIA
> 
> Al
> 
> On 01/10/2020 19:35, Matteo Baranzoni wrote:
>> Hi, my friend Francesco open discussion here: 
>> https://discussions.vtiger.com/discussion/192211/official-php-composer-for-vtiger/p1?new=1
>> 
>> And i just add it on hearken, i think that move php dependencies to 
>> composer it was great improvement!
>> We can contribute in order to complete porting
> 
> _______________________________________________
> http://www.vtiger.com/ _______________________________________________
> http://www.vtiger.com/

_______________________________________________
http://www.vtiger.com/ 

Links:
------
[1] http://www.clystnet.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20201002/ea8fd402/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10550 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20201002/ea8fd402/attachment-0001.png>


More information about the vtigercrm-developers mailing list