News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Joshua Thijssen:
Installing composer russian roulette.
October 15, 2012 @ 12:19:19

In this new post to his site Joshua Thijssen talks about the "russian roulette" that's involved in the single-line install of Composer (as was mentioned here) and how it sets a bad precedent for developers to follow.

Michael Maclean has written a very good article on what is wrong with this. His point essentially boils down to this: you have no way of knowing what you are actually installing on your system and if it's the software as intended by the original developers. Especially developers tend to do this more and more often, and in even more dangerous ways. Now, this is bad by itself of course, but this is not a simple app you run on occasion (if that was an excuse to begin with). Composer is the software that pretty much controls ALL your application dependencies. What would happen if this software would fetch its packages from packagists.org, or packagits.org?

He brings up a scenario where, say Packagist.org gets hacked and links to repositories are altered. If you're blindly installing via Composer, you'd have no idea that the code you're working with is potentially tainted. He notes that it boils down to trusting the source and how some simple hashing could help some of the problems. He also talks briefly about security issues that have been discussed (like "use SSL" or "don't run as root") to help prevent issues.

He suggests the implementation of the hash-based signing of the downloads to ensure that the software you're getting is what you're expecting. He mentions getting rid of auto-updates and the creation of signed packages/tarballs to help increase the security checking abilities of the installer.

0 comments voice your opinion now!
composer install package signing hashing security


blog comments powered by Disqus

Similar Posts

Stuart Herbert's Blog: Getting PEAR Working On Windows 7

Mike Wallner's Blog: Dropping server load with HTTP caching

Zend Developer Zone: Security Tips #17 & #18 (When to Secure & File Uploads)

IBM developerWorks: Paint 3-D images with PHP

Mike Purcell's Blog: CentOS - PHP - Install Memcached (with a d) Stack


Community Events

Don't see your event here?
Let us know!


api interview unittest release series conference community framework laravel podcast laravel5 voicesoftheelephpant php7 opinion example extension library language version introduction

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework