Comments (2)
Seldaek
commented on June 11, 2024
1
Done
from getcomposer.org.
padraic
commented on June 11, 2024
Basic approach:
- Implement TLS verification for Composer.
- Create signature for installer (GPG).
- User verifies signature of installer (it's optional - they may not do it).
- User runs installer.
- Download composer.phar (openssl signed).
- Download composer.phar.pubkey (public key).
- Use pubkey to verify all self-updates.
- Examine if instructions can make the installer optional.
I've written most of the pieces, inspired in part from Composer's self-update and borrowing liberally from all the work we previously did on the TLS support for the installer:
https://github.com/padraic/phar-updater
https://github.com/padraic/file_get_contents
These push all the changes to Composer into two dependencies and out of the core code which should be significantly simpler. Currently wrapping these two up for Humbug self updates. They can alternatively be ported into Composer, but...the duplication of effort on my part is preferably avoidable.
Note: The very first requests are not verifiable, i.e. you cannot verify that the GPG and openssl public keys are themselves valid. This is basically the first-encounter approach that ssh uses. You get these once, accept them, keep them permanently, and reuse them constantly, and never accept updates to them without a really really good reason.
from getcomposer.org.
Related Issues (20)
- Does "version" in composer.json follow semantic versioning ? HOT 2
- 2.3.3 missing signature HOT 2
- getcomposer.org is throwing 404 and 500 errors when attempting to download HOT 2
- Installer deprecation warning on failure: file_exists(): Passing null to parameter #1 ($filename) of type string is deprecated HOT 2
- Installer did not work on LEAP HOT 3
- Do we have a documentation for packages.json - field source? HOT 1
- How to make references from packages.json to composer.json ? HOT 1
- Does `composer update --lock` update dependencies set as `dev-master`? HOT 1
- markdown rendering nested lists of changelog 1.0.0-alpha10 HOT 1
- Is there a way to get notified whenever composer hash changes
- Installer doesn't work on Mac M1 HOT 4
- Add support RFC 5746 secure renegotiation for site HOT 4
- Bot platform
- Windows Installer didn't install the composer.phar!! HOT 1
- Include the installer into the github releases HOT 1
- Installer not working HOT 1
- Installer syntax error in HttpClient HOT 4
- getcomposer script fails with PHP 8.1.3 HOT 2
- Installer always fail HOT 1
- Composer installer is broken HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from getcomposer.org.