News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
PHP Package Signing My Current Thoughts
March 10, 2014 @ 11:57:49

Pádraic Brady has a new post sharing some of his ideas around PHP package signing and a few possible ways to approach (and possibly solve) the problem.

We figured out how to write good code. We figured out how to write good code in a reusable way...for the most part. We figured out how to distribute and mix all that good reusable code in a sensible fashion. Can we now figure out how to do it all securely? [...] The problem with package signing from my perspective is tied up in a phrase most of you would know: The needs of the many outweigh the needs of the few. Thank you, Spock.

He compares two different alternatives, Public-key infrastructure (PKI) vs (Pretty Good Privacy) GPG, and how the idea of trust fits into the picture. He also points out an unfortunate fact when it comes to the initial adoption of package signing methods - people are lazy (and cheap). They want to get things done and not have extra steps. Signing their packages would be one of these steps. He suggests an alternative, though, using double signatures to verify the integrity and validity of its contents. He also talks about the role that metadata plays in the overall package ecosystem and how signing it as well could be part of the solution.

0 comments voice your opinion now!
package signature signing metadata packagist composer

Link: http://blog.astrumfutura.com/2014/03/php-package-signing-my-current-thoughts

blog comments powered by Disqus

Similar Posts

Adam Harvey's Blog: $pear->list

Fortrabbit.com: Handle your dependencies with PHP composer

Lorna Mitchell: Installing PEAR Packages Offline

Community News: PHPUnit Now Available via Composer

Zumba Engineering Blog: Enforce code standards with composer, git hooks, and phpcs


Community Events





Don't see your event here?
Let us know!


install unittest laravel list interview language podcast opinion testing developer framework code introduction wordpress threedevsandamaybe release refactor configure series community

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework