Would it be possible to add TYPO3 Extensions as well?

Question

Would it be possible to add TYPO3 Extensions as well?

tomasnorre opened this issue 5 years ago · 8 comments

I might overlook something, but would it be possible to add TYPO3 Extensions as well?
As I see it this only covers the TYPO3 Core, which of course is also important.

cc: @ohader

Answer 1 · 2020-03-30T11:37:16.000Z

This repository accepts all contributions, and makes no choices about which packages should be listed or not.

Answer 2 · 2020-03-30T11:40:43.000Z

To understand you correct. I can make a PR that includes the TYPO3 Extension then?

Answer 3 · 2020-03-30T11:50:17.000Z

Yes, sure. This repository accepts PR for any Composer package, no restrictions.

Answer 4 · 2020-03-30T12:23:42.000Z

@tomasnorre We should discuss that internally on our Slack #security channel, not via GitHub and please also not via Twitter.

@fabpot That information also was new to me. In a consequence that could mean that hundreds and thousands of advisories from other projects (Symfony, TYPO3, Joomla, Drupal, Wordpress, Yii2, ...) would be bundled in this repository... in the next consequence having a growth in https://github.com/Roave/SecurityAdvisories/blob/master/composer.json and potential impact on Composer actions, having to verify all version constraints.

Our (TYPO3 security team) idea would have been to keep vendor related advisories (just TYPO3 core in our case) in this repository and provide advisories for 3rd party plugins in a dedicated repository/platform, e.g. https://advisories.typo3.org (work-in-progress, not published yet).

Answer 5 · 2020-03-30T12:27:11.000Z

This database is (at least for now) a hub for all security issues. I think it would make sense to consolidate everything here.

Answer 6 · 2020-03-30T12:27:27.000Z

We do have entries for Symfony bundles for instance.

Answer 7 · 2020-03-30T13:24:33.000Z

@ohader conflict rules are not what makes composer update costly (at least not with an uptodate version of composer). These conflict rules are check only among packages which are already in the scope of the solver (as they can only reject a package from the solution, not include it in it).

Answer 8 · 2020-03-30T13:29:44.000Z

@fabpot That information also was new to me. In a consequence that could mean that hundreds and thousands of advisories from other projects (Symfony, TYPO3, Joomla, Drupal, Wordpress, Yii2, ...) would be bundled in this repository... in the next consequence having a growth in https://github.com/Roave/SecurityAdvisories/blob/master/composer.json and potential impact on Composer actions, having to verify all version constraints.

Not a big deal, as @stof has highlighted: exclusions ("conflict" section) are much cheaper than inclusion of ranges ("require")