Integration of afragen/git updater lite
#317
Conversation
This integration will work with any plugins/themes that have data in the Update URI header, only requirement is AspireUpdate be active. There is an update to GUL coming but the code is all in here, it's just incorrectly versioned so don't run composer update until GUL v2.2.0 is released.
afragen
requested review from
chuckadams,
asirota,
toderash,
namithj and
a team
This reverts commit 2282cf8.
|
PR will fail testing until I commit GUL v2.2.0. Awaiting test updates for it. |
|
Why do we need this in AU? Please dont merge this in until the requirement is discussed and everyone is onboard. |
|
Does this require connection with a GU server instance, or is this just using the GUL routines to process the downloaded zip? And does fixing the zip fix the issue with non-detection? I thought that was related to the dash in the dirname. |
Thats another PR #315 |
|
It does require a connection with a GU Update API Server instance. It will use GUL to update AU. |
|
Fixing the workflow is different. |
|
The only similar function between GU and GUL is updating and the data for the View details modal. GU has so much more and most users won't have GU installed, it's a developer tool. |
|
FWIW I took out the class GUL_Loader and simply added it for AU. |
|
Some info on why this is beneficial: Currently, AspireUpdate is only available from AspireCloud or direct download. Git Updater Lite decouples updating AspireUpdate from AspireCloud, so that AspireUpdate will receive updates even if the selected server goes down (whether AC production, AC bleeding edge, third-party instance of AC, or third-party API). Integrating Git Updater Lite means it retrieves the latest update data from the AspirePress website, and pulls it from GitHub. This saves us having to upload a new asset ZIP and maintain update data, which would be required otherwise. |
|
If we ourself are not confident about our update system that we need to fall back on another system, how would we convince others to use AC. This is an Ask.com tool bar like situation where we Trojan horse in another updater. If AC has limitations we should work to adddress that and not try and bypass it. |
|
Additionally we already spoke about using the GU api which @afragen is developing as another source in AE (which will then reach AU eventually). Unless a user chooses GU as the plugin source we should not push it upon them. Let's keep AC and GU separate. |
It's not just about confidence. The fundamental purpose of AspireUpdate is to rewrite API urls to another location. That location may not have AspireUpdate in its listings. We therefore need to ensure AspireUpdate is decoupled from the side effect of its own actions. |
This isn't merging AspireCloud and Git Updater. It's integrating Git Updater Lite and AspireUpdate specifically to handle updating to AspireUpdate from its canonical source because the configured API host may not have any AspireUpdate source available. While AspirePress would of course like to see everyone using AspireCloud, AspireUpdate, and AspireExplorer in conjunction, there's no requirement to use them with each other. Therefore, what we do in one project shouldn't be assumed to benefit another. |
|
We should respect the users decision in that scenario, if we really want to decouple AU from the update process, the functionality should be added to AU core and not as a dependency. We should not be introducing third party projects into AU core unless it's mission critical as it will impact security and stability as it's beyond our control. Dependency decisions like this need to have a triage and then only moved to code phase. |
"the user's decision" in this scenario may have one of these outcomes:
We don't have control over those third-party API servers - that's the security and stability issue.
Of course it's within our control. We choose what we ship with AspireUpdate. If we've tested a newer version of a dependency and it's not stable or secure, we can lock it to the previous version. I'd also say this is mission critical. |
Also, I'd ask that you take a moment to reconsider before posting this kind of thing. It's needlessly dramatic and taints a discussion by presenting one view as being dishonest or even malicious. |
Both are valid user decisions and we should respect that. I really don't understand why we have to bypass everything and auto update one plugin. AU should be considered as another plugin, it should have no special privileges. |
A user most likely won't know that their choice doesn't have AspireUpdate or has its own source for AspireUpdate. Their decision was to choose an API host. That doesn't mean the host has informed them, nor that the user will have considered that risk.
This is no different to using the This doesn't auto-update the plugin. WP Core won't auto-update the plugin unless the user has enabled auto-updates for it. |
|
Just to complete the loop here for documentation, this was decided in our weekly PM meeting after reviewing all the concerns and the proposed PR. The approach of updating AspireUpdate from GitHub rather than from AspireCloud closes a potential security issue in the supply chain. This doesn't need documenting here, but there are specific reasons to handle this outside of ACloud, and the concerns expressed have been identified and addressed accordingly. cc @costdev |
Pull Request
Integrate Git Updater Lite
(Please list the changes you made...)
afragen/git-updater-lite: ^2Updater URIheader to main plugin file but will need to change theUpdate URIheader once an AspirePress Update API Server is set up.Did you fix any specific items
Simpler update and integration of AspireUpdate plugin than exists in AC
Fixes #314
Fixes #240
CERTIFICATION
By opening this pull request, I do agree to abide by the Code of Conduct and be bound by the terms of the Contribution Guidelines in effect on the date and time of my contribution as proven by the revision information in GitHub.