githubProvisioner introduces the use of composer.

Adding a New External Package

  1. Is the use of an external package really necessary? Balance the convenience of using a package against the increased maintenance (and potential increased security exposure) before deciding to proceed.
  2. Is the external package you want to use appropriately licensed? The package you want to use must be licensed with an Apache "Category A" open source license in order to be compatible with the Apache 2.0 license. If it is not, or if you aren't sure, you cannot use the package.
  3. Add the package to the source tree, depending on what type of package it is.
    1. JavaScript utilities generally go in $REGISTRY/app/webroot/js.
    2. Cake plugins generally go in $REGISTRY/app/Plugin.
    3. Anything else generally goes in $REGISTRY/app/Vendor.
  4. Update $REGISTRY/NOTICE and be sure to comply with any notification requirements required by the package.
    1. (warning) When using "minified" javascript, you probably need to include a separate license file, either in the same directory or in $REGISTRY/NOTICE. Minified versions typically do not include the license, just a reference to the license which is typically not actually compliant with the license itself.
  5. Update Version Dependencies.
  • No labels