Created
January 5, 2012 18:21
-
-
Save jmikola/1566485 to your computer and use it in GitHub Desktop.
Log of #symfony-dev meeting 20120105 (all times GMT-5)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Jan 05 11:01:39 <Seldaek> it's time (but I don't have time to be around too much, so I hope someone can manage this) | |
| Jan 05 11:02:01 <fabpot> Hi all | |
| Jan 05 11:02:23 <cordoval> this is the link just in case http://www.doodle.com/kxpxkrvhgnd2bx5i | |
| Jan 05 11:02:57 <cordoval> and http://goo.gl/BWjAN - [WIP] Integrates metadata into Symfony validator goes first as it has 3 checks | |
| Jan 05 11:03:08 * stodan has quit (Quit: Over & Out) | |
| Jan 05 11:04:18 <fabpot> I have not read the PR, nor do I know anything about the metadata library but we already have loader in the Config components | |
| Jan 05 11:04:25 <fabpot> that are already used in quite a few places | |
| Jan 05 11:04:35 <fabpot> so the first question is why not reuse them for the validator component | |
| Jan 05 11:04:58 <beberlei> henrik is not here, he suggestet that | |
| Jan 05 11:05:12 <Stof> the goal of the Metadata libraries is mainly to manage the metadata after they are loaded | |
| Jan 05 11:05:35 <asm89> ping johanness | |
| Jan 05 11:05:52 <Stof> which is currently handled in the Validator component. the changes in the PR makes the merging from different sources smarter | |
| Jan 05 11:06:17 * gimler (~chatzilla@dslb-178-000-018-130.pools.arcor-ip.net) has joined #symfony-dev | |
| Jan 05 11:06:55 <fabpot> anyway, that would be for 2.2 | |
| Jan 05 11:07:09 * Piotras has quit (Ping timeout: 240 seconds) | |
| Jan 05 11:07:44 * Piotras (~pp@91.218.68.252) has joined #symfony-dev | |
| Jan 05 11:08:09 <johanness> the idea is to attach metadata to existing classes, the loaders which are just responsible for loading the metadata are only part of it | |
| Jan 05 11:08:35 <johanness> but the question is more if we want to add a mandatory dependency (which would be the first) for a component | |
| Jan 05 11:09:05 <fabpot> johanness: that's a very good question. Being part of Symfony would be better for sure. | |
| Jan 05 11:13:30 <cordoval> each question is 10 minutes right? | |
| Jan 05 11:13:31 * drak (31f409c3@gateway/web/freenode/ip.49.244.9.195) has joined #symfony-dev | |
| Jan 05 11:13:39 <drak> hi | |
| Jan 05 11:13:53 <cordoval> hi drak we are discussing the first item still | |
| Jan 05 11:14:05 <cordoval> http://goo.gl/BWjAN - [WIP] Integrates metadata into Symfony validator | |
| Jan 05 11:14:12 <drak> ok | |
| Jan 05 11:17:19 * asm89 has quit (Quit: bye!) | |
| Jan 05 11:18:27 <Seldaek> http://gifs.gifbin.com/052011/1304618376_tumbleweed-gif.gif | |
| Jan 05 11:18:38 <cordoval> each question is 10 minutes right? if so we are ready for next item? it has no link but it is something very interesting: "maintenance of the form/validation layer" | |
| Jan 05 11:18:39 <dustin10> haha | |
| Jan 05 11:18:56 * n3ssi3 has quit (Quit: Linkinus - http://linkinus.com) | |
| Jan 05 11:18:58 <drak> my thoughts exactly @saldaek | |
| Jan 05 11:19:08 <r1pp3rj4ck> lol | |
| Jan 05 11:19:10 <cordoval> I think henrik is not here so we can move into the next | |
| Jan 05 11:19:26 <drak> is there any chance we can discuss the session stuff now? | |
| Jan 05 11:19:37 <drak> it's getting v late here | |
| Jan 05 11:20:00 <cordoval> drak no next one is "maintenance of the form/validation layer" but not sure, it is up to all here | |
| Jan 05 11:20:28 <fabpot> I don't see why we would need to discussion this topic | |
| Jan 05 11:20:39 <fabpot> Bernhard is not currently available (or he does not seem to be) | |
| Jan 05 11:20:51 <fabpot> so, anyone can help if he wants/has the time to | |
| Jan 05 11:21:35 <cordoval> then next one in the line is http://goo.gl/rwAIA - Document/Avoid Listener Priority Changes | |
| Jan 05 11:21:54 <cordoval> someone ping johanness | |
| Jan 05 11:22:52 <cordoval> but that sounds like a warning/practice, to avoid BC | |
| Jan 05 11:23:03 <fabpot> yes, I have changed the priorities, but that was to fix a big issue | |
| Jan 05 11:23:16 <fabpot> so, the ticket is more about documenting the current priorities and try to keep them as is | |
| Jan 05 11:23:32 <cordoval> like on update.md or so | |
| Jan 05 11:23:48 <johanness> fabpot, the question is also if it was necessary to change the priorities (e.g. from the 255 scale to something much smaller) | |
| Jan 05 11:24:05 <johanness> for example changing the priority of the security listener will lead to silent security vulnerabilities in applications | |
| Jan 05 11:24:38 <fabpot> johanness: but the listeners order has changed, so the current third-party listener priorities must change anyway | |
| Jan 05 11:24:56 <fabpot> now, if we can change them in a way that is less problematic, I'm all for it | |
| Jan 05 11:25:11 <fabpot> but we won't be able to keep BC for all listeners for sure | |
| Jan 05 11:25:35 <fabpot> I can have a look at the old and current priorities and see if we can do better | |
| Jan 05 11:25:42 <drak> if you have to change them, you have to change them. Documentation is the key. | |
| Jan 05 11:25:51 <johanness> yeah, there is also a semi-related issue with the router/security integration | |
| Jan 05 11:26:26 <johanness> right now if you protect an specific path by a firewall, an attacker has no way to infer routing information about any sub-path (much like htaccess) | |
| Jan 05 11:26:43 <johanness> after your refactoring an attacker can spy out all routes that are available under that sub-path | |
| Jan 05 11:26:54 <johanness> even if it is protected by a firewall | |
| Jan 05 11:27:12 <johanness> so before looking at the priorities, this regression should be addressed | |
| Jan 05 11:27:20 <Stof> drak: yeah, but changing the order of the 2 higher priorities without scaling them down would avoid having to change all listeners expecting to be run after both of them. the current change requires an update as their priority is far lower than before | |
| Jan 05 11:27:32 <fabpot> I know that this feature was removed but the refactoring fixes all other issues, which was a much higher priority to me | |
| Jan 05 11:27:40 <beberlei> is there a way to define assertions about "run before X" ? | |
| Jan 05 11:27:47 <fabpot> beberlei: no | |
| Jan 05 11:27:50 <elnur> o/ | |
| Jan 05 11:28:18 <cordoval> hi elnur we are discussing http://goo.gl/rwAIA - "Document/Avoid Listener Priority Changes" | |
| Jan 05 11:28:58 <beberlei> in that case documentation is the only way to go i guess | |
| Jan 05 11:29:45 <beberlei> should we keep a central document for all security + framework priorities, maybe even a file in the repository with its own changelog? | |
| Jan 05 11:30:23 <elnur> cordoval, thx. i'll just watch. i don't think i have anything to say | |
| Jan 05 11:31:53 * Piotras has quit (Ping timeout: 252 seconds) | |
| Jan 05 11:32:12 <Seldaek> beberlei: I'd like to have that | |
| Jan 05 11:32:31 <cordoval> beberlei: what is your idea are there similar rsts in the repos? is not a cookbook entry right? | |
| Jan 05 11:32:58 <Seldaek> I mean ideally we need to "assign" ranges of priorities for certain purposes, with the core listeners being boundaries, like assigning wave spectrums for radio or TV broadcast.. | |
| Jan 05 11:33:11 * Piotras (~pp@91.218.68.252) has joined #symfony-dev | |
| Jan 05 11:34:03 <Seldaek> because usually I end up just using very large or very small numbers just in case, since the boundaries are not clearly defined (unless you grep through everything) | |
| Jan 05 11:34:55 <fabpot> Seldaek: defining ranges looks like a good idea | |
| Jan 05 11:35:13 <fabpot> this is mostly needed for the request and response events, as we have quite a few listeners by default | |
| Jan 05 11:35:22 * rande (~Adium@darkstar2.fullsix.com) has joined #symfony-dev | |
| Jan 05 11:35:26 <fabpot> and almost only for the request event as the order does matter a lot | |
| Jan 05 11:35:47 <Seldaek> yeah but for consistency if we have it for everything I think it'd be great | |
| Jan 05 11:36:02 <Seldaek> I mean doing it for the rest shouldn't take too long if there are no listeners in core | |
| Jan 05 11:36:10 <cordoval> defining ranges sounds a great idea which sounds like it can pave things for higher security | |
| Jan 05 11:36:12 <fabpot> Seldaek: sure | |
| Jan 05 11:37:54 <fabpot> the current documentation on the topic is here: http://symfony.com/doc/current/book/internals.html#events | |
| Jan 05 11:38:17 <jmikola|w> for listeners that tend to share priorities, and rely on ordering they are bound, would it make sense to use parameters instead of hard-coding numbers? | |
| Jan 05 11:39:07 <jmikola|w> just thinking that might be a reasonable way to define a bunch of wave spectrums - perhaps in FrameworkBundle | |
| Jan 05 11:39:25 <jmikola|w> and SecurityBundle would naturally have its own | |
| Jan 05 11:39:53 * notjosh has quit (Remote host closed the connection) | |
| Jan 05 11:40:44 <beberlei> that sounds useful | |
| Jan 05 11:42:47 <Seldaek> it's basically putting meaning onto numbers | |
| Jan 05 11:45:43 * cordoval are we ready for next one? it is http://goo.gl/YvmIq - [HttpFoundation] Refactor session handling and flash messages | |
| Jan 05 11:45:56 <cordoval> drak: are you still around? | |
| Jan 05 11:46:12 <drak> yes, just :-) | |
| Jan 05 11:46:19 <drak> 22:33 here | |
| Jan 05 11:47:35 <cordoval> wow is massive | |
| Jan 05 11:48:36 <drak> most interested parties have made reviews and suggestions over the last 3 months. | |
| Jan 05 11:49:38 <fabpot> drak: I have still not finished the review yet, sorry about that | |
| Jan 05 11:49:42 <fabpot> but the patch is really huge | |
| Jan 05 11:50:18 <drak> it's fine. maybe we can chat over the next week if you have questions | |
| Jan 05 11:50:47 <drak> from what I understand at this point it's pretty much waiting for your review. | |
| Jan 05 11:51:16 <fabpot> drak: yes, this is a high priority on my todo list and we won't release the first 2.1 RC without a final decision about the inclusion of this patch | |
| Jan 05 11:51:41 <drak> do you have any specific concerns at this point? | |
| Jan 05 11:51:45 * inspiran has quit (Remote host closed the connection) | |
| Jan 05 11:52:07 <fabpot> drak: yes, flashes | |
| Jan 05 11:52:14 <cordoval> what is Stefan's nick name? | |
| Jan 05 11:52:18 <paschke> paschke | |
| Jan 05 11:52:29 <drak> what about flashes? | |
| Jan 05 11:52:32 <paschke> that would be me | |
| Jan 05 11:52:52 <eriksencosta> Stefan's nickname is skoop | |
| Jan 05 11:53:01 * bshaffer|away is now known as bshaffer | |
| Jan 05 11:53:54 <drak> From what i understand we've two issues regarding flashes. Flashes for Symfony2 framework, and flash capability of the HttpFoundation component | |
| Jan 05 11:54:24 * johnkary has quit (Quit: johnkary) | |
| Jan 05 11:54:59 <fabpot> drak: I think nobody have ever come up with real-world use cases of several flashes with the same name for the same request | |
| Jan 05 11:55:12 <drak> however, all interested parties have stressed the need to have multiple messages in multiple flash categories. | |
| Jan 05 11:55:27 <drak> we have them. | |
| Jan 05 11:55:30 <fabpot> not me | |
| Jan 05 11:55:43 * Herzult (~antoine@ip-7.net-82-216-139.issy4.rev.numericable.fr) has left #symfony-dev | |
| Jan 05 11:55:59 * vincentl has quit (Quit: Leaving.) | |
| Jan 05 11:55:59 <fabpot> we agreed that we need to have real-world use cases; as far as I know, we don't have any | |
| Jan 05 11:57:05 <drak> here's a real example: in zikula modules can be present but not installed for example. We regenerate the list of available module by scanning the FS and validating module state - is the module structure valid. is the module a newer version of an already installed module etc. | |
| Jan 05 11:57:14 <fabpot> and AFAIK, rails (which is where the concept was invented I think) does not support this | |
| Jan 05 11:57:33 <drak> also modules can be installed in bulk. | |
| Jan 05 11:57:47 <fabpot> drak: that does not seem to be a use case for using a flash | |
| Jan 05 11:58:00 * vincentl (~Adium@gut75-4-82-235-160-61.fbx.proxad.net) has joined #symfony-dev | |
| Jan 05 11:58:10 <drak> so this is an example of multiple operations performed in bulk. Some of those might fail, so we report all the module that instaleld, and the ones that did not. | |
| Jan 05 11:58:16 <fabpot> and you can concatenate all the messages and then set the flash message | |
| Jan 05 11:58:22 <drak> it's what Drupal does too. | |
| Jan 05 11:58:41 <mvrhov> fabpot, but it the easiest to use/abuse. Also you can render multiple flashes in ul/li | |
| Jan 05 11:58:46 <fabpot> the main point is that the creation of the flash is centralized. So, it's up to you to create the message on your own before setting the flash | |
| Jan 05 11:58:54 <mvrhov> if you concat them you can't | |
| Jan 05 11:59:13 <Stof> fabpot: centralized ? A listener could add flash messages too | |
| Jan 05 11:59:36 <drak> fabpot: if we do that, then we're getting involved in internals rather than just using a simple API. | |
| Jan 05 11:59:38 <fabpot> my concern is that I think that 99% of the time, you need a simple string for a flash. Forcing each one of them to be an array seems overkill | |
| Jan 05 11:59:47 <fabpot> centralized in YOUR code | |
| Jan 05 12:00:38 <drak> the problem is we're dealing with HttpFoundation as a component.. if you are just using that, then you might not have the event dispatcher. It's very easy to talk about using listeners, but this works only in the context of Symfony2 framework, not someone wanting to just use HttpFoundation | |
| Jan 05 12:01:41 * UKB|Out (~unknownbl@unaffiliated/unknownbliss) has joined #symfony-dev | |
| Jan 05 12:01:56 <fabpot> I am not talking about listener | |
| Jan 05 12:02:04 <drak> fabpot: so many people have asked for this feature in flash messages. It might not be how Ruby designed it, but flashes have been around in different forms for a long time, not just from Ruby. | |
| Jan 05 12:02:37 <rande> do you argue on adding $foo->addFlash('name', 'category') vs $foo->setFlash('name', 'category') where the inner implementation used an array or not ? | |
| Jan 05 12:02:47 * ajessu has quit (Quit: Leaving.) | |
| Jan 05 12:02:56 <fabpot> drak: if I listen to everything people want, Symfony2 would be a mess. Without use cases that are good usage of the flash messages, support won't be added. | |
| Jan 05 12:03:35 <fabpot> rande: basically, the question is whether a named flash is a string or an array | |
| Jan 05 12:04:21 <fabpot> rande: can we have more than one 'notice' for a single request? | |
| Jan 05 12:04:40 <rande> in my use cases : no | |
| Jan 05 12:04:53 <rande> a notice should report a result | |
| Jan 05 12:04:57 <paschke> fabpot, johanness, can I quickly have your opinion on the concurrent sessions PR before the meeting ends? | |
| Jan 05 12:04:59 <fabpot> we should make a difference between a flash and a validation error/message | |
| Jan 05 12:05:08 <rande> yes | |
| Jan 05 12:05:10 <cordoval> Stefan your PR is next | |
| Jan 05 12:05:17 <cordoval> in line is http://goo.gl/XBNHC - [2.1][Security] concurrent sessions | |
| Jan 05 12:05:20 * everzet has quit (Quit: Linkinus - http://linkinus.com) | |
| Jan 05 12:05:33 <paschke> cordoval, thanks | |
| Jan 05 12:05:35 <fabpot> I fear that opening the API too much will make people abuse the system and use it for validation | |
| Jan 05 12:05:37 <drak> fabpot: some people choose to use flashes for validation, some for just a simple reponse to a controller success/fail | |
| Jan 05 12:06:03 <fabpot> drak: hehe, exactly what I fear | |
| Jan 05 12:06:09 <drak> but there are complex system where listeners might message the user for example. | |
| Jan 05 12:06:24 <rande> I think we are more talking about a notification bundle where multiple notices can be showed to the end user | |
| Jan 05 12:06:34 <fabpot> keep in mind that flash names can be anything | |
| Jan 05 12:06:42 <fabpot> so your listeners just need to choose a unique name | |
| Jan 05 12:06:55 <drak> again, too much focus on bundles/symfony2 framework. The components need to be able to stand on their own. | |
| Jan 05 12:07:01 <fabpot> rande: agreed. that's why I want real use cases. | |
| Jan 05 12:07:23 <paschke> I opened this PR last may, johanness asked me to provide a DBAL default implementation (instead of using ORM) | |
| Jan 05 12:07:54 <drak> ok fabpot, I'll compile some usecases. | |
| Jan 05 12:07:55 <rande> flash is more about the result of action. drak's use case is more about a notification system (with a real persistency) | |
| Jan 05 12:07:58 <drak> and paste to the PR | |
| Jan 05 12:08:06 <cordoval> ok so we can continue discussion of previous topic on its thread, now if Stefan is ready next one in line is http://goo.gl/XBNHC - [2.1][Security] concurrent sessions | |
| Jan 05 12:08:11 <fabpot> drak: not at all. Flashes have been created for a very well defined use case and that's all we need to support | |
| Jan 05 12:08:19 <cordoval> take it away Stefan paschke ? | |
| Jan 05 12:08:30 <fabpot> if there is a need for a notification system, then let's talk about that | |
| Jan 05 12:08:56 <rande> fabpot: notification system can be a huge topic ;) | |
| Jan 05 12:08:59 <Stof> fabpot: but how do you distinguish if the flash message should be styled as info or error when renderin them if the name is not the way to know it ? There is no way to categorize flashes currently | |
| Jan 05 12:09:31 <rande> yes, we need default flash type | |
| Jan 05 12:09:57 <Seldaek> so instead of allowing many per name, you want to add a category/type | |
| Jan 05 12:10:04 <Seldaek> same thing pretty much | |
| Jan 05 12:10:32 <Stof> Seldaek: if the name is a unique identifier, we need another way to figure a type | |
| Jan 05 12:11:24 <Seldaek> yeah but if the "no" camp agreeds to add a type, then everyone agrees on the need for types (or multiple flashes per type, except now the type is the name) | |
| Jan 05 12:11:40 <drak> https://github.com/drak/symfony/blob/session_refactor/src/Symfony/Component/HttpFoundation/FlashBagInterface.php | |
| Jan 05 12:11:48 <Seldaek> and then the discussion is only about how the API should look and not anymore about whether it makes sense or not | |
| Jan 05 12:12:04 * vincentl has quit (Quit: Leaving.) | |
| Jan 05 12:12:05 * gimler has quit (Quit: ChatZilla 0.9.88 [Firefox 8.0/20111115183813]) | |
| Jan 05 12:13:00 <fabpot> Seldaek: my concern is not the API, but the concept | |
| Jan 05 12:13:02 * beberlei has quit (Quit: ChatZilla 0.9.88 [Firefox 8.0.1/20111120135848]) | |
| Jan 05 12:14:16 * steveoliver (~steveoliv@ip72-197-41-232.sd.sd.cox.net) has joined #symfony-dev | |
| Jan 05 12:14:18 <Stof> fabpot: how would you distinguish error and info messages when rendering them to change the styling ? | |
| Jan 05 12:15:21 <fabpot> we already have a name and a value. The name is the type (error, info, notice, whatever you want), so the styling is done according to the name/type | |
| Jan 05 12:15:29 <fabpot> that works today | |
| Jan 05 12:15:37 * notjosh (~notjosh@a212044.upc-a.chello.nl) has joined #symfony-dev | |
| Jan 05 12:15:49 <Stof> fabpot: as the name is meant to be unqiue, you cannot have 2 info messages (one from a listener and one from a controller) | |
| Jan 05 12:16:04 <Stof> which is why I said that a unique name cannot be used properly for this | |
| Jan 05 12:16:06 <drak> so your objection is the ability to have more than one notice. | |
| Jan 05 12:16:11 <rande> Stof: how this situation can happen? | |
| Jan 05 12:16:25 <fabpot> drak: yes | |
| Jan 05 12:16:48 <Stof> rande: a listener could add flash messages. the controller is not the only one | |
| Jan 05 12:17:11 <rande> Stof: what is the use case ? | |
| Jan 05 12:17:13 <drak> stof: but fabpot doesn't see that as a valid use of flashes... | |
| Jan 05 12:17:34 * dbu has quit (Remote host closed the connection) | |
| Jan 05 12:17:34 <rande> if a listener add a flash, it will probably also alter the response | |
| Jan 05 12:17:42 <rande> and so no controller will be called | |
| Jan 05 12:17:57 <drak> no, not in a complex system like Zikula for example. | |
| Jan 05 12:18:00 <drak> or Drupal | |
| Jan 05 12:18:18 <Stof> rande: flash messages are not stored in the response but in the session | |
| Jan 05 12:18:27 <Stof> you don't need to set a response to set them | |
| Jan 05 12:18:32 <drak> several things can be going on, not just the main controller request. You have blocks for example and a bunch of listeners interacting with things. | |
| Jan 05 12:19:01 <Stof> anyway, I need to go | |
| Jan 05 12:19:05 <drak> me too | |
| Jan 05 12:19:09 * bergie has quit (Ping timeout: 240 seconds) | |
| Jan 05 12:19:15 <drak> it's 23:06 | |
| Jan 05 12:19:17 <drak> :) | |
| Jan 05 12:19:27 <drak> guess we're over time anyway :) | |
| Jan 05 12:19:29 <cordoval> ok paschke sorry take it away | |
| Jan 05 12:19:55 <cordoval> wait still Stefan has his PR here http://goo.gl/XBNHC - [2.1][Security] concurrent sessions | |
| Jan 05 12:20:05 <paschke> like I just said, I added the DBAL default implementation johanness asked for | |
| Jan 05 12:20:16 * drak has quit (Quit: Page closed) | |
| Jan 05 12:20:22 <cordoval> johanness: is afk | |
| Jan 05 12:20:32 <paschke> and I'd appreciate feedback and also need to know if this could still go into 2.1 | |
| Jan 05 12:21:28 <cordoval> lsmith is not here and Stof just left | |
| Jan 05 12:21:58 <cordoval> fabpot, someone? | |
| Jan 05 12:23:20 <r1pp3rj4ck> going home, guys | |
| Jan 05 12:23:21 <r1pp3rj4ck> see ya | |
| Jan 05 12:23:26 <cordoval> laters r1 | |
| Jan 05 12:24:02 <cordoval> Stefan most likely Stof and lsmith will reply something in your PR | |
| Jan 05 12:24:10 * r1pp3rj4ck has quit (Quit: leaving) | |
| Jan 05 12:24:22 <cordoval> there were no votes for http://goo.gl/iU7Ma - [Form] Fix "pattern" option for date field type and http://goo.gl/ZGDCY - Regression in Security/Router Integration | |
| Jan 05 12:24:31 <paschke> ok thanks | |
| Jan 05 12:24:46 <cordoval> this is the end of the meeting i guess, can someone cat the logs? | |
| Jan 05 12:24:53 <cordoval> Seldaek: ? | |
| Jan 05 12:25:09 <cordoval> who has that feature? someone send the logs over the -dev ml | |
| Jan 05 12:25:11 <cordoval> thanks guys |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment