Zend Framework 2.5.0 Released!

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Zend Framework 2.5.0 Released!

weierophinney
Administrator
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html


--
Matthew Weier O'Phinney
Principal Engineer
Project Lead, Zend Framework and Apigility
[hidden email]
http://framework.zend.com
http://apigility.org
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc
Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

Francis Angelino Gonzales Tello
What a great new, it's time to move the community!.



Greetings.

2015-06-03 14:57 GMT-05:00 Matthew Weier O'Phinney <[hidden email]>:
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html


--
Matthew Weier O'Phinney
Principal Engineer
Project Lead, Zend Framework and Apigility
[hidden email]
http://framework.zend.com
http://apigility.org
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc



--
Saludos Cordiales
Francis Gonzales
Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

Marc Bennewitz-4
In reply to this post by weierophinney
Hi Matthew,

Great news!

Do you move all the issues into the individual components automatically?
Is it possible for component maintainers to get rights on individual
components who does not already like me ?

Thanks,
Marc

On 06/03/2015 09:57 PM, Matthew Weier O'Phinney wrote:

> We've just released Zend Framework 2.5.0!
>
> This release is the first major milestone towards v3.0.0; in this
> release, Zend Framework becomes a metapackage that pulls in each of
> the components from their own repositories.
>
> I encourage you to read the full release announcement to understand
> what has been done, how it might affect your project, and what our
> next steps will look like towards version 3:
>
> - http://framework.zend.com/blog/zend-framework-2-5-0-released.html
>
>

GoT
Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

GoT
Hi,

Anyone know when we will be able to download the latest release without composer?

Regards,

2015-06-04 11:17 GMT+02:00 Marc Bennewitz <[hidden email]>:
Hi Matthew,

Great news!

Do you move all the issues into the individual components automatically?
Is it possible for component maintainers to get rights on individual components who does not already like me ?

Thanks,
Marc


On 06/03/2015 09:57 PM, Matthew Weier O'Phinney wrote:
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html






--
Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

Marco Pivetta

There is no "cumulative package" anymore: you are supposed to install via composer.

On Jul 5, 2015 6:31 PM, "Pierre Rambaud" <[hidden email]> wrote:
Hi,

Anyone know when we will be able to download the latest release without composer?

Regards,

2015-06-04 11:17 GMT+02:00 Marc Bennewitz <[hidden email]>:
Hi Matthew,

Great news!

Do you move all the issues into the individual components automatically?
Is it possible for component maintainers to get rights on individual components who does not already like me ?

Thanks,
Marc


On 06/03/2015 09:57 PM, Matthew Weier O'Phinney wrote:
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html






--
Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

Kevin McArthur-2
Uhm,

https://github.com/composer/composer/issues/1074 is still open since September 2012, still RCE exploitable, and shows no sign of being fixed.

It was bad enough that the ZFW project was recommending composer use, but to require a lib they know to have active remote code execution vulnerabilities? Really?

--

Kevin

On 2015-07-05 9:33 AM, Marco Pivetta wrote:

There is no "cumulative package" anymore: you are supposed to install via composer.

On Jul 5, 2015 6:31 PM, "Pierre Rambaud" <[hidden email]> wrote:
Hi,

Anyone know when we will be able to download the latest release without composer?

Regards,

2015-06-04 11:17 GMT+02:00 Marc Bennewitz <[hidden email]>:
Hi Matthew,

Great news!

Do you move all the issues into the individual components automatically?
Is it possible for component maintainers to get rights on individual components who does not already like me ?

Thanks,
Marc


On 06/03/2015 09:57 PM, Matthew Weier O'Phinney wrote:
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html






--

GoT
Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

GoT
Agree, and forcing someone to use a dependencies manager isn't a good idea :/

2015-07-06 18:10 GMT+02:00 Kevin McArthur <[hidden email]>:
Uhm,

https://github.com/composer/composer/issues/1074 is still open since September 2012, still RCE exploitable, and shows no sign of being fixed.

It was bad enough that the ZFW project was recommending composer use, but to require a lib they know to have active remote code execution vulnerabilities? Really?

--

Kevin


On 2015-07-05 9:33 AM, Marco Pivetta wrote:

There is no "cumulative package" anymore: you are supposed to install via composer.

On Jul 5, 2015 6:31 PM, "Pierre Rambaud" <[hidden email]> wrote:
Hi,

Anyone know when we will be able to download the latest release without composer?

Regards,

2015-06-04 11:17 GMT+02:00 Marc Bennewitz <[hidden email]>:
Hi Matthew,

Great news!

Do you move all the issues into the individual components automatically?
Is it possible for component maintainers to get rights on individual components who does not already like me ?

Thanks,
Marc


On 06/03/2015 09:57 PM, Matthew Weier O'Phinney wrote:
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html






--




--
Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

adamlundrigan
You're not forced to use it...not using is just more work for you than it was before.  You can still pull the individual packages you need from GitHub as tarballs or git submodules and stitch them into your application's autoloader.  

First, for those users who were incorporating the repository via git submodules, that approach will no longer work, as the ZF2 repository no longer contains code! If you are doing this, you will either need to start using Composer, or add every component as a git submodule, which will likely also require setting up custom autoloading.


--
Adam Lundrigan, B.Sc, ZCPE, ZFCA
Freelance Software Developer
Cell: (709) 730-2326

Member, Unifor Canadian Freelance Union

On Mon, Jul 6, 2015 at 4:44 PM, Pierre Rambaud <[hidden email]> wrote:
Agree, and forcing someone to use a dependencies manager isn't a good idea :/

2015-07-06 18:10 GMT+02:00 Kevin McArthur <[hidden email]>:
Uhm,

https://github.com/composer/composer/issues/1074 is still open since September 2012, still RCE exploitable, and shows no sign of being fixed.

It was bad enough that the ZFW project was recommending composer use, but to require a lib they know to have active remote code execution vulnerabilities? Really?

--

Kevin


On 2015-07-05 9:33 AM, Marco Pivetta wrote:

There is no "cumulative package" anymore: you are supposed to install via composer.

On Jul 5, 2015 6:31 PM, "Pierre Rambaud" <[hidden email]> wrote:
Hi,

Anyone know when we will be able to download the latest release without composer?

Regards,

2015-06-04 11:17 GMT+02:00 Marc Bennewitz <[hidden email]>:
Hi Matthew,

Great news!

Do you move all the issues into the individual components automatically?
Is it possible for component maintainers to get rights on individual components who does not already like me ?

Thanks,
Marc


On 06/03/2015 09:57 PM, Matthew Weier O'Phinney wrote:
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html






--




--

Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

Spabby
While there is a possible man-in-the-middle vector with Composer because of the lack of package signing, let's be honest here, Composer has gained widespread adoption through the PHP community, and rightly so. If you are nervous of using Composer in your own environment, then you aren't required to use it. As other people have said, there are alternatives in which you pull the packages you require direct from GitHub and setup your own autoloading. 

I DO think there is a case for explaining this in the ZF2 global documentation, and I've opened a ticket to that regard (https://github.com/zendframework/documentation/issues/3). However, I see no reason at all to advise users in the individual repositories to install with any other method than Composer. If it's good enough for Amazon (http://docs.aws.amazon.com/aws-sdk-php/v3/guide/getting-started/installation.html#installing-via-composer), Google (https://developers.google.com/api-client-library/php/start/installation), Facebook (https://developers.facebook.com/docs/php/gettingstarted/4.0.0), etc, then I think it's good enough for us.



On Mon, 6 Jul 2015 at 20:41 Adam Lundrigan <[hidden email]> wrote:
You're not forced to use it...not using is just more work for you than it was before.  You can still pull the individual packages you need from GitHub as tarballs or git submodules and stitch them into your application's autoloader.  

First, for those users who were incorporating the repository via git submodules, that approach will no longer work, as the ZF2 repository no longer contains code! If you are doing this, you will either need to start using Composer, or add every component as a git submodule, which will likely also require setting up custom autoloading.


--
Adam Lundrigan, B.Sc, ZCPE, ZFCA
Freelance Software Developer
Cell: (709) 730-2326

Member, Unifor Canadian Freelance Union

On Mon, Jul 6, 2015 at 4:44 PM, Pierre Rambaud <[hidden email]> wrote:
Agree, and forcing someone to use a dependencies manager isn't a good idea :/

2015-07-06 18:10 GMT+02:00 Kevin McArthur <[hidden email]>:
Uhm,

https://github.com/composer/composer/issues/1074 is still open since September 2012, still RCE exploitable, and shows no sign of being fixed.

It was bad enough that the ZFW project was recommending composer use, but to require a lib they know to have active remote code execution vulnerabilities? Really?

--

Kevin


On 2015-07-05 9:33 AM, Marco Pivetta wrote:

There is no "cumulative package" anymore: you are supposed to install via composer.

On Jul 5, 2015 6:31 PM, "Pierre Rambaud" <[hidden email]> wrote:
Hi,

Anyone know when we will be able to download the latest release without composer?

Regards,

2015-06-04 11:17 GMT+02:00 Marc Bennewitz <[hidden email]>:
Hi Matthew,

Great news!

Do you move all the issues into the individual components automatically?
Is it possible for component maintainers to get rights on individual components who does not already like me ?

Thanks,
Marc


On 06/03/2015 09:57 PM, Matthew Weier O'Phinney wrote:
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html






--




--

Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

Marcos Lois Bermúdez
Hi,

You can always use your own private composer repository, there are some open source projects that can help to build one. 

So you can make package signing, HASH verification or whatever check do you want to perform over packages.

Regards.

On 7 July 2015 at 08:55, Gary Hockin <[hidden email]> wrote:
While there is a possible man-in-the-middle vector with Composer because of the lack of package signing, let's be honest here, Composer has gained widespread adoption through the PHP community, and rightly so. If you are nervous of using Composer in your own environment, then you aren't required to use it. As other people have said, there are alternatives in which you pull the packages you require direct from GitHub and setup your own autoloading. 

I DO think there is a case for explaining this in the ZF2 global documentation, and I've opened a ticket to that regard (https://github.com/zendframework/documentation/issues/3). However, I see no reason at all to advise users in the individual repositories to install with any other method than Composer. If it's good enough for Amazon (http://docs.aws.amazon.com/aws-sdk-php/v3/guide/getting-started/installation.html#installing-via-composer), Google (https://developers.google.com/api-client-library/php/start/installation), Facebook (https://developers.facebook.com/docs/php/gettingstarted/4.0.0), etc, then I think it's good enough for us.



On Mon, 6 Jul 2015 at 20:41 Adam Lundrigan <[hidden email]> wrote:
You're not forced to use it...not using is just more work for you than it was before.  You can still pull the individual packages you need from GitHub as tarballs or git submodules and stitch them into your application's autoloader.  

First, for those users who were incorporating the repository via git submodules, that approach will no longer work, as the ZF2 repository no longer contains code! If you are doing this, you will either need to start using Composer, or add every component as a git submodule, which will likely also require setting up custom autoloading.


--
Adam Lundrigan, B.Sc, ZCPE, ZFCA
Freelance Software Developer
Cell: (709) 730-2326

Member, Unifor Canadian Freelance Union

On Mon, Jul 6, 2015 at 4:44 PM, Pierre Rambaud <[hidden email]> wrote:
Agree, and forcing someone to use a dependencies manager isn't a good idea :/

2015-07-06 18:10 GMT+02:00 Kevin McArthur <[hidden email]>:
Uhm,

https://github.com/composer/composer/issues/1074 is still open since September 2012, still RCE exploitable, and shows no sign of being fixed.

It was bad enough that the ZFW project was recommending composer use, but to require a lib they know to have active remote code execution vulnerabilities? Really?

--

Kevin


On 2015-07-05 9:33 AM, Marco Pivetta wrote:

There is no "cumulative package" anymore: you are supposed to install via composer.

On Jul 5, 2015 6:31 PM, "Pierre Rambaud" <[hidden email]> wrote:
Hi,

Anyone know when we will be able to download the latest release without composer?

Regards,

2015-06-04 11:17 GMT+02:00 Marc Bennewitz <[hidden email]>:
Hi Matthew,

Great news!

Do you move all the issues into the individual components automatically?
Is it possible for component maintainers to get rights on individual components who does not already like me ?

Thanks,
Marc


On 06/03/2015 09:57 PM, Matthew Weier O'Phinney wrote:
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html






--




--


Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

Kevin McArthur-2
In reply to this post by Spabby
We're not talking about nervous. We're talking about a well known, actively exploited, remote code execution vector. The fact that the ZFW project would adopt this lib in such a core way speaks to its security posture.

That others are jumping off this bridge just shows how broken the php-security community is. It isn't a reason to ignore the fact that this change makes ZFW applications, servers and development desktops trivially hackable. Not sure how many more slide decks stating 'we hunt sysadmins', massive credit card breaches or gigabyte-sized password dumps you guys need before you'll take some responsibility for validating the code you use before recommending or forcing it on others.

Pierre's request for a workable without-composer pathway is entirely reasonable.

--

Kevin



On 2015-07-06 11:55 PM, Gary Hockin wrote:
While there is a possible man-in-the-middle vector with Composer because of the lack of package signing, let's be honest here, Composer has gained widespread adoption through the PHP community, and rightly so. If you are nervous of using Composer in your own environment, then you aren't required to use it. As other people have said, there are alternatives in which you pull the packages you require direct from GitHub and setup your own autoloading. 

I DO think there is a case for explaining this in the ZF2 global documentation, and I've opened a ticket to that regard (https://github.com/zendframework/documentation/issues/3). However, I see no reason at all to advise users in the individual repositories to install with any other method than Composer. If it's good enough for Amazon (http://docs.aws.amazon.com/aws-sdk-php/v3/guide/getting-started/installation.html#installing-via-composer), Google (https://developers.google.com/api-client-library/php/start/installation), Facebook (https://developers.facebook.com/docs/php/gettingstarted/4.0.0), etc, then I think it's good enough for us.



On Mon, 6 Jul 2015 at 20:41 Adam Lundrigan <[hidden email]> wrote:
You're not forced to use it...not using is just more work for you than it was before.  You can still pull the individual packages you need from GitHub as tarballs or git submodules and stitch them into your application's autoloader.  

First, for those users who were incorporating the repository via git submodules, that approach will no longer work, as the ZF2 repository no longer contains code! If you are doing this, you will either need to start using Composer, or add every component as a git submodule, which will likely also require setting up custom autoloading.


--
Adam Lundrigan, B.Sc, ZCPE, ZFCA
Freelance Software Developer
Cell: (709) 730-2326

Member, Unifor Canadian Freelance Union

On Mon, Jul 6, 2015 at 4:44 PM, Pierre Rambaud <[hidden email]> wrote:
Agree, and forcing someone to use a dependencies manager isn't a good idea :/

2015-07-06 18:10 GMT+02:00 Kevin McArthur <[hidden email]>:
Uhm,

https://github.com/composer/composer/issues/1074 is still open since September 2012, still RCE exploitable, and shows no sign of being fixed.

It was bad enough that the ZFW project was recommending composer use, but to require a lib they know to have active remote code execution vulnerabilities? Really?

--

Kevin


On 2015-07-05 9:33 AM, Marco Pivetta wrote:

There is no "cumulative package" anymore: you are supposed to install via composer.

On Jul 5, 2015 6:31 PM, "Pierre Rambaud" <[hidden email]> wrote:
Hi,

Anyone know when we will be able to download the latest release without composer?

Regards,

2015-06-04 11:17 GMT+02:00 Marc Bennewitz <[hidden email]>:
Hi Matthew,

Great news!

Do you move all the issues into the individual components automatically?
Is it possible for component maintainers to get rights on individual components who does not already like me ?

Thanks,
Marc


On 06/03/2015 09:57 PM, Matthew Weier O'Phinney wrote:
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html






--




--


Reply | Threaded
Open this post in threaded view
|

Re: Zend Framework 2.5.0 Released!

Spabby

It is, which is why I opened the ticket.


On Tue, 7 Jul 2015 17:39 Kevin McArthur <[hidden email]> wrote:
We're not talking about nervous. We're talking about a well known, actively exploited, remote code execution vector. The fact that the ZFW project would adopt this lib in such a core way speaks to its security posture.

That others are jumping off this bridge just shows how broken the php-security community is. It isn't a reason to ignore the fact that this change makes ZFW applications, servers and development desktops trivially hackable. Not sure how many more slide decks stating 'we hunt sysadmins', massive credit card breaches or gigabyte-sized password dumps you guys need before you'll take some responsibility for validating the code you use before recommending or forcing it on others.

Pierre's request for a workable without-composer pathway is entirely reasonable.

--

Kevin




On 2015-07-06 11:55 PM, Gary Hockin wrote:
While there is a possible man-in-the-middle vector with Composer because of the lack of package signing, let's be honest here, Composer has gained widespread adoption through the PHP community, and rightly so. If you are nervous of using Composer in your own environment, then you aren't required to use it. As other people have said, there are alternatives in which you pull the packages you require direct from GitHub and setup your own autoloading. 

I DO think there is a case for explaining this in the ZF2 global documentation, and I've opened a ticket to that regard (https://github.com/zendframework/documentation/issues/3). However, I see no reason at all to advise users in the individual repositories to install with any other method than Composer. If it's good enough for Amazon (http://docs.aws.amazon.com/aws-sdk-php/v3/guide/getting-started/installation.html#installing-via-composer), Google (https://developers.google.com/api-client-library/php/start/installation), Facebook (https://developers.facebook.com/docs/php/gettingstarted/4.0.0), etc, then I think it's good enough for us.



On Mon, 6 Jul 2015 at 20:41 Adam Lundrigan <[hidden email]> wrote:
You're not forced to use it...not using is just more work for you than it was before.  You can still pull the individual packages you need from GitHub as tarballs or git submodules and stitch them into your application's autoloader.  

First, for those users who were incorporating the repository via git submodules, that approach will no longer work, as the ZF2 repository no longer contains code! If you are doing this, you will either need to start using Composer, or add every component as a git submodule, which will likely also require setting up custom autoloading.


--
Adam Lundrigan, B.Sc, ZCPE, ZFCA
Freelance Software Developer
Cell: (709) 730-2326

Member, Unifor Canadian Freelance Union

On Mon, Jul 6, 2015 at 4:44 PM, Pierre Rambaud <[hidden email]> wrote:
Agree, and forcing someone to use a dependencies manager isn't a good idea :/

2015-07-06 18:10 GMT+02:00 Kevin McArthur <[hidden email]>:
Uhm,

https://github.com/composer/composer/issues/1074 is still open since September 2012, still RCE exploitable, and shows no sign of being fixed.

It was bad enough that the ZFW project was recommending composer use, but to require a lib they know to have active remote code execution vulnerabilities? Really?

--

Kevin


On 2015-07-05 9:33 AM, Marco Pivetta wrote:

There is no "cumulative package" anymore: you are supposed to install via composer.

On Jul 5, 2015 6:31 PM, "Pierre Rambaud" <[hidden email]> wrote:
Hi,

Anyone know when we will be able to download the latest release without composer?

Regards,

2015-06-04 11:17 GMT+02:00 Marc Bennewitz <[hidden email]>:
Hi Matthew,

Great news!

Do you move all the issues into the individual components automatically?
Is it possible for component maintainers to get rights on individual components who does not already like me ?

Thanks,
Marc


On 06/03/2015 09:57 PM, Matthew Weier O'Phinney wrote:
We've just released Zend Framework 2.5.0!

This release is the first major milestone towards v3.0.0; in this
release, Zend Framework becomes a metapackage that pulls in each of
the components from their own repositories.

I encourage you to read the full release announcement to understand
what has been done, how it might affect your project, and what our
next steps will look like towards version 3:

- http://framework.zend.com/blog/zend-framework-2-5-0-released.html






--




--