News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Joshua Thijssen:
Installing composer russian roulette.
October 15, 2012 @ 12:19:19

In this new post to his site Joshua Thijssen talks about the "russian roulette" that's involved in the single-line install of Composer (as was mentioned here) and how it sets a bad precedent for developers to follow.

Michael Maclean has written a very good article on what is wrong with this. His point essentially boils down to this: you have no way of knowing what you are actually installing on your system and if it's the software as intended by the original developers. Especially developers tend to do this more and more often, and in even more dangerous ways. Now, this is bad by itself of course, but this is not a simple app you run on occasion (if that was an excuse to begin with). Composer is the software that pretty much controls ALL your application dependencies. What would happen if this software would fetch its packages from packagists.org, or packagits.org?

He brings up a scenario where, say Packagist.org gets hacked and links to repositories are altered. If you're blindly installing via Composer, you'd have no idea that the code you're working with is potentially tainted. He notes that it boils down to trusting the source and how some simple hashing could help some of the problems. He also talks briefly about security issues that have been discussed (like "use SSL" or "don't run as root") to help prevent issues.

He suggests the implementation of the hash-based signing of the downloads to ensure that the software you're getting is what you're expecting. He mentions getting rid of auto-updates and the creation of signed packages/tarballs to help increase the security checking abilities of the installer.

0 comments voice your opinion now!
composer install package signing hashing security


blog comments powered by Disqus

Similar Posts

Till Klampaeckel's Blog: Deploying PHP applications: PEAR and composer resources for chef

Greg Beaver\'s Blog: PHP_Archive 0.7.0 is released

echolibre Blog: The Capsule CRM API and PHP

Mike Wallner's Blog: HttpRequestDataShare

Skaldrom's Blog: Want to create your own progranning language? Lexer & Parser in PHP!


Community Events





Don't see your event here?
Let us know!


tips framework voicesoftheelephpant zendserver development deployment community language conference symfony interview list laravel bugfix code introduction release podcast api series

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework