News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Joshua Thijssen:
Installing composer russian roulette.
October 15, 2012 @ 12:19:19

In this new post to his site Joshua Thijssen talks about the "russian roulette" that's involved in the single-line install of Composer (as was mentioned here) and how it sets a bad precedent for developers to follow.

Michael Maclean has written a very good article on what is wrong with this. His point essentially boils down to this: you have no way of knowing what you are actually installing on your system and if it's the software as intended by the original developers. Especially developers tend to do this more and more often, and in even more dangerous ways. Now, this is bad by itself of course, but this is not a simple app you run on occasion (if that was an excuse to begin with). Composer is the software that pretty much controls ALL your application dependencies. What would happen if this software would fetch its packages from packagists.org, or packagits.org?

He brings up a scenario where, say Packagist.org gets hacked and links to repositories are altered. If you're blindly installing via Composer, you'd have no idea that the code you're working with is potentially tainted. He notes that it boils down to trusting the source and how some simple hashing could help some of the problems. He also talks briefly about security issues that have been discussed (like "use SSL" or "don't run as root") to help prevent issues.

He suggests the implementation of the hash-based signing of the downloads to ensure that the software you're getting is what you're expecting. He mentions getting rid of auto-updates and the creation of signed packages/tarballs to help increase the security checking abilities of the installer.

0 comments voice your opinion now!
composer install package signing hashing security


blog comments powered by Disqus

Similar Posts

Project: Web Application Security Quiz

Clay Loveless' Blog: PHP MimeViewer for Trac

SitePoint PHP Blog: Evaluating PHP Applications

Zend Developer Zone: Creating Data Tables With PEAR Structures_DataGrid

NetTuts.com: Pro Workflow in Laravel and Sublime Text


Community Events





Don't see your event here?
Let us know!


laravel symfony language community podcast bugfix opinion voicesoftheelephpant library tips package framework list series release api deployment introduction install interview

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework