News Feed
Jobs Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Zumba Engineering Blog:
Enforce code standards with composer, git hooks, and phpcs
April 15, 2014 @ 09:13:48

The Zumba Engineering blog has a new post looking at a way you can control code quality and standards with the help of Composer, git hooks and the PHP Code Sniffer (phpcs) tools.

Maintaining code quality on projects where there are many developers contributing is a tough assignment. How many times have you tried to contribute to an open-source project only to find the maintainer rejecting your pull request on the grounds of some invisible coding standard? [...] Luckily there are tools that can assist maintainers. In this post, I'll be going over how to use composer, git hooks, and phpcs to enforce code quality rules.

These three technologies are combined together to make a more seamless experience for the developer while keeping the code quality high. Their method makes use of the "scripts" (post-install-cmd) feature of Composer to, after the installation of all packages, set up a git hook script that will run the phpcs checks on pre-commit. It's a pretty simple shell script that kicks back any errors it might find before the user can commit their changes.

0 comments voice your opinion now!
code standards composer git hook phpcs codesniffer install precommit

Link: http://engineering.zumba.com/2014/04/14/control-code-quality

Matthias Noback:
There's no such thing as an optional dependency
April 11, 2014 @ 11:19:19

In his latest post Matthias Noback suggests the idea that there's no such thing as an optional dependency when it comes to working with packages and Composer.

On several occasions I have tried to explain my opinion about "optional dependencies" (also known as "suggested dependencies" or "dev requirements") and I'm doing it again: "There's no such thing as an optional dependency." I'm talking about PHP packages here and specifically those defined by a composer.json file.

So that everyone's on the same page, he starts with an example of a true dependency in a sample adapter class. He asks the usual question - "what's needed to run this code?" - and looking a bit deeper at the "suggested" packages. As it turns out, some of these dependencies turn into actual requirements when you need certain features of the tool. He points out that this is a problem with quite a few packages in the Composer ecosystem and proposes a solution - splitting packages based on requirements. He gives an example based on his adapter with a Mongo requirement split off into a "knplabs/gaufrette-mongo-gridfs" package that's more descriptive of the requirements.

0 comments voice your opinion now!
optional dependency composer packagist suggested package

Link: http://php-and-symfony.matthiasnoback.nl/2014/04/theres-no-such-thing-as-an-optional-dependency/

Gary Hockin:
Less is More
April 07, 2014 @ 09:56:36

Gary Hockin has a new post to his site talking about how he's found that less is more when it comes to what to include in your "composer.json". He works through some of his own opinions on the matter and suggests a bit more thought before just including another library.

I have absolutely no doubt this post will be largely disagreed upon by many in the PHP community, but I've had a terrible day and I'm hoping that the process of just getting this off my chest will be therapeutic in some way. [...] So, today I sat down and started writing the tests for our new lightweight SDK that offsets much of the work needed in the delivery of the adverts to workers via a Beanstalk queue. It should have been so easy. Things went well for the early part until I realised that I wanted to be able to extract and serialise our Device object to put it into the queue, and then hydrate it back into a Device object inside the worker

He assumed that since he'd used Zend Framework 2 a good bit and there were no (declared) dependencies, he could directly use an individual component. Unfortunately, there was a dependency (ZendFilterChain), requiring another package to be added via Composer and pulled down. He points out that Composer has made this almost too easy and developers maybe aren't as thoughtful about the libraries they pull in because of it.

He makes a call out to developers to remember the idea behind the MicroPHP Manifesto and really think about the code they're puling in, how large it is and if it's what they really need. He's not suggesting that Composer is the problem, rather the blind usage of it without thinking through the implications.

0 comments voice your opinion now!
less more library composer packagist include

Link: http://blog.hock.in/2014/04/05/less-is-more

SitePoint PHP Blog:
Composer Cheatsheet
April 01, 2014 @ 11:22:35

The SitePoint PHP blog has a new post from Matthew Setter today sharing a Composer cheatsheet he recently discovered with an example of the common commands and "composer.json" file structure.

Unless you've been living under a rock, today's PHP isn't your grandmother's PHP; it's an entirely different, much more elegant and mature language with countless improvements and additions. One of the key additions is Composer, the de facto standard for managing PHP project dependencies which, by default, gives you access to hundreds of ready-made libraries, via Packagist.org.

He goes through the parts of the guide, introducing some of the commands and covering the details of the full "composer.json" JSON structure. There's also a video introduction if you'd like the more visual version.

0 comments voice your opinion now!
composer cheatsheet introduction commands json structure

Link: http://www.sitepoint.com/composer-cheatsheet

Matthew Turland:
Travis and Composer and virtPHP, oh my!
March 27, 2014 @ 10:28:55

Matthew Turland has a new post today to his site looking at the combination of three different technologies - TravisCI, Composer and VirtPHP - and an odd error he was getting from his build about a missing requirement "php".

In the first build, everything worked fine under 5.4 and 5.5, but upon getting to the composer install instruction to install project dependencies and PHPUnit, the job for 5.3 failed with some rather unintuitive output from Composer that implied it didn't recognize the platform package requirement that I'd provided for the minimum PHP version. [...] Since the cause of my issue wasn't immediately obvious from Composer's output, my first thought was that I needed to begin my attempt at troubleshooting the issue by replicating it on my local machine.

This is where VirtPHP came in. This tool provides an environment where you can install and configure multiple PHP configurations and switch between them easily. It provides a "glue" between the phpenv and php-build projects to make management of the results simpler. He talks about how he configured and set up his environments...and figured out his Composer problem.

0 comments voice your opinion now!
travisci composer error virtphp environment

Link: http://matthewturland.com/2014/03/26/travis-and-composer-and-virtphp-oh-my

ServerGrove Blog:
Composer 101
March 21, 2014 @ 12:14:12

You might have heard about Composer but aren't quite sure what all the fuss is about it. In this new tutorial on the ServerGrove blog, they introduce you to it, help you get it installed and show how it can help you make dependency management simpler.

Composer is a tool for dependency management in PHP. It allows us to declare the libraries (packages from now on) on which our project depends on and downloads them for us. With many high quality packages available to us, the are redefining they way we are building PHP software. You can browse through the wide variety of packages at the composer main repository packagist.org. Composer is a simple tool to use and this tutorial will go over the installation and usage basics.

They walk you through the installation (or either *nix or Windows) and help you get started with your first "composer.json" configuration file. They talk about "composer.lock" and the role it plays and how Composer uses is (and the json version) to pull in dependencies for your libraries of choice. The article also briefly covers the "composer" command and the options it provides.

0 comments voice your opinion now!
composer dependency management package introduction

Link: http://blog.servergrove.com/2014/03/19/composer-tutorial/

Lorna Mitchell:
Using Composer Without GitIgnoring Vendor/
March 12, 2014 @ 12:45:23

In her latest post Lorna Mitchell looks at a method, when using Composer and git, to fix an issue around subdirectories that are git repositories and git thinking they should be submodules instead.

Recent additions to the joind.in API have introduced some new dependencies so we decided we'd start using Composer to manage these - but we don't want to run composer unsupervised. I'm sure this will bring the rain of "just run composer install, it's probably mostly almost safe" criticism, but actually it's quite tricky to run Composer without excluding vendor/ from source control so I thought I'd share how we did it so that anyone who wants to do so can learn from my experience!

She starts by describing the usual use of Composer - making the "composer.json", running the install and see the "vendor" directory being added. When she tried to check in the dependencies, git gave her an error about wanting them to be submodules. Instead, she figured out a way to add a line to the .gitignore to have it disregard the "vendor/.git" directory, making it work as expected.

0 comments voice your opinion now!
composer vendor install gitignore git

Link: http://www.lornajane.net/posts/2014/using-composer-without-gitignoring

Pádraic Brady:
PHP Package Signing My Current Thoughts
March 10, 2014 @ 11:57:49

Pádraic Brady has a new post sharing some of his ideas around PHP package signing and a few possible ways to approach (and possibly solve) the problem.

We figured out how to write good code. We figured out how to write good code in a reusable way...for the most part. We figured out how to distribute and mix all that good reusable code in a sensible fashion. Can we now figure out how to do it all securely? [...] The problem with package signing from my perspective is tied up in a phrase most of you would know: The needs of the many outweigh the needs of the few. Thank you, Spock.

He compares two different alternatives, Public-key infrastructure (PKI) vs (Pretty Good Privacy) GPG, and how the idea of trust fits into the picture. He also points out an unfortunate fact when it comes to the initial adoption of package signing methods - people are lazy (and cheap). They want to get things done and not have extra steps. Signing their packages would be one of these steps. He suggests an alternative, though, using double signatures to verify the integrity and validity of its contents. He also talks about the role that metadata plays in the overall package ecosystem and how signing it as well could be part of the solution.

0 comments voice your opinion now!
package signature signing metadata packagist composer

Link: http://blog.astrumfutura.com/2014/03/php-package-signing-my-current-thoughts

Pádraic Brady:
Thoughts on Composer's Future Security
March 06, 2014 @ 11:09:06

Pádraic Brady has a new "let's watch Paddy think aloud in a completely unstructured manner blog post" about the future of security when it comes to the popular PHP package manager Composer. It's recently come under criticism around its lack of package signing and TLS/SSL support.

The Composer issue, as initially reported by Kevin McArthur, was fairly simple. Since no download connection by Composer was properly secured using SSL/TLS then an attacker could, with the assistance of a Man-In-The-Middle (MITM) attack, substitute the package you wanted to download with a modified version that communicated with the attacker's server. They could, for example, plant a line of code which sends the contents of $_POST to the attacker's server.

He's been working on some updates to the project, one of with is TLS/SSL support as defined in this pull request currently pending. It enables peer verification by default, follows PHP 5.6 TLS recommendations and uses local system certificates in the connection. He talks some about other additional TLS/SSL measures that could be added in the future and how, despite it being safer than nothing, TLS/SSL is not the "cure all" for the problem.

He then moves on to package signing and suggests one method for implementation - signing the "composer.phar" executable and signing "everything else" (packages to be downloaded) to verify their validity.

The flaw in Composer's installer isn't that it's unsigned, it's that it doesn't afford the opportunity for the downloader to read it before it gets piped to PHP. It's a documentation issue. You can go down the route of using a CA, of course, but that's further down the rabbit hole than may be necessary. Signing the composer.phar file is another matter.
0 comments voice your opinion now!
composer package signing tls ssl support security

Link: http://blog.astrumfutura.com/2014/03/thoughts-on-composers-future-security

Evert Pot:
Composer's bug now fixed
February 24, 2014 @ 12:38:06

Evert Pot has posted an update to a previous post around Composer's vulnerability around installing the wrong packages in the case of a conflict. In this latest post he points out, however, that the bug is now fixed.

As an update to my previous post, the composer security problem now appears fixed. Good to see that a quick response was possible after all.

The original issue was caused by the "replace" functionality, allowing the possibility for an incorrect package to be installed instead of the one requested. Other posts with more details include this one from Pádraic Brady and Nils Adermann. if you're a Composer user, it's highly suggested you update your currently installed version (run a "composer self-update").

0 comments voice your opinion now!
composer bug security vulnerability fix selfupdate

Link: http://evertpot.com/composer-bug-fixed


Community Events











Don't see your event here?
Let us know!


framework symfony2 overview language opinion introduction podcast release composer series security code component install facebook hack hhvm package unittest application

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework