Symfony Installation For Developer and System Administrator

Symfony, the PHP framework which has won the PHP framework market share as quite a few crucial PHP projects already transitioned or use either Symfony2 framework or its components. While I'm not a fan of Symfony due to its Javaism which introduces unnecessary complexity and divert from the original PHP design principles, but you can't ignore the influences it brought to PHP world.

Four years ago, I was evaluating it for a new project, but decided to go with CodeIgniter and Kohana due to project size and time frame. Always go for something you're familiar with instead venturing into new unknown territory. The money and time spent does not justify it. Everyone wants it fast, cheat, and don't really care about longevity of any projects. Enough ramblings, let us revisit the installation.

There are many ways to install or use Symfony framework but the recommended way is to use the Symfony installer. Although installation through Composer (deprecated), PEAR (deprecated), or GNU/Linux distros packages are still feasible.

First, getting the Symfony installer which you can obtain by downloading the binary directly and install locally. Popularized by those developer who want to have a universal quick installation method between GNU/Linux and MacOS. The Curl's -LsS parameter means that to download from a location (-L), silently (-s), but show errors (-S). Go to Explain Shell for the full parameters details.
$ sudo curl -LsS http://symfony.com/installer -o /usr/local/bin/symfony
$ sudo chmod a+x /usr/local/bin/symfony

Quick and convenient right? Indeed for developer point of view who want to bootstrap any application using Symfony framework quickly. However, for a system administrator, this is a big no-no, especially in production server, where priorities are targeted towards stability and security. Why so? Note that we should always verify the authenticity of any downloaded installer to check for any corruption or tampering. While there is way to verify Symfony components, we can't seem to find it for Symfony installer. Hence, such installation method, while convenient, lack assurances.

If you're a system administrator, surely you will prefer the default packages that come with your GNU/Linux distros. For sure, you are guarantee of well-tested and automated security updates. Something that is not possible if you install the Symfony framework manually where you've to keep track of any security advisories. The trade-off is that you've to stick with legacy but stable version of the framework which may not be supported anymore.

For example, in Fedora 22, which was release few weeks back, the available Symfony version is 2.5.11. Unfortunately, after checking release schedule and roadmap checker, there will be no support of security fixes after July 2015 and is advisable to upgrade to version 2.7.x.
$ dnf info php-symfony | grep Version
Version     : 2.5.11

If you're starting a new Symfony project, are you going to use the default and outdated Symfony packages that comes with your distro? Surely not. Who in the right mind will develop against an unsupported version? And furthermore, developer always like fancy new toys.

This is one of the dilemma when the distro packages is not catching up with the release cycle of the software. Another good example is in Fedora 22, there are still packages for PEAR channel for Symfony, where this is not supported anymore due to the transition to Composer. I'm not sure why Symfony 2.5 was selected but obviously there is a mismatch between the Fedora 22 and Symfony release timeline. Also, I think Centos 6 or 7 will have the similar unsupported version.
$ dnf search symfony | grep channel
php-channel-symfony.noarch : Adds symfony project channel to PEAR
php-channel-symfony2.noarch : Adds pear.symfony.com channel to PEAR

In the end, stick to the simpler way, using the Symfony installer, even though you may be some security risk but that can be prevented by verifying its components and using Security Advisories Checker tool..

No comments:

Post a Comment