News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Joshua Thijssen:
Installing composer russian roulette.
October 15, 2012 @ 12:19:19

In this new post to his site Joshua Thijssen talks about the "russian roulette" that's involved in the single-line install of Composer (as was mentioned here) and how it sets a bad precedent for developers to follow.

Michael Maclean has written a very good article on what is wrong with this. His point essentially boils down to this: you have no way of knowing what you are actually installing on your system and if it's the software as intended by the original developers. Especially developers tend to do this more and more often, and in even more dangerous ways. Now, this is bad by itself of course, but this is not a simple app you run on occasion (if that was an excuse to begin with). Composer is the software that pretty much controls ALL your application dependencies. What would happen if this software would fetch its packages from packagists.org, or packagits.org?

He brings up a scenario where, say Packagist.org gets hacked and links to repositories are altered. If you're blindly installing via Composer, you'd have no idea that the code you're working with is potentially tainted. He notes that it boils down to trusting the source and how some simple hashing could help some of the problems. He also talks briefly about security issues that have been discussed (like "use SSL" or "don't run as root") to help prevent issues.

He suggests the implementation of the hash-based signing of the downloads to ensure that the software you're getting is what you're expecting. He mentions getting rid of auto-updates and the creation of signed packages/tarballs to help increase the security checking abilities of the installer.

0 comments voice your opinion now!
composer install package signing hashing security


blog comments powered by Disqus

Similar Posts

Greg Beaver's Blog: Introducing pecl extension phar

Community News: PHPUnit Announced End of Life on PEAR Installation Method

Christopher Jones' Blog: PHP OCI8 Extension 1.2.4 is in PECL

thePHP.cc: Do No Enter!

New Earth Online: Caching PHP pages


Community Events





Don't see your event here?
Let us know!


podcast threedevsandamaybe list introduction code interview release application install developer community configure laravel language wordpress unittest series api library testing

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework