Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95844
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 16639 invoked from network); 9 Sep 2016 11:00:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Sep 2016 11:00:16 -0000
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.214 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.214 mail4-2.serversure.net Linux 2.6
Received: from [217.147.176.214] ([217.147.176.214:43015] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 51/33-61313-A3692D75 for <internals@lists.php.net>; Fri, 09 Sep 2016 07:00:11 -0400
Received: (qmail 22634 invoked by uid 89); 9 Sep 2016 11:00:05 -0000
Received: by simscan 1.3.1 ppid: 22605, pid: 22629, t: 0.1023s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 9 Sep 2016 11:00:05 -0000
To: internals@lists.php.net
References: <616bb9ff-bcd1-fd70-b251-05b280b5003e@lsces.co.uk>
 <CANUQDCh=xC5G2FS2a-jm3aKATwV1BuOhd+AQiCq7tnMUvruFcA@mail.gmail.com>
Message-ID: <fc0df908-0e9d-e748-70cb-9d9a6e8d4ee6@lsces.co.uk>
Date: Fri, 9 Sep 2016 12:00:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2
MIME-Version: 1.0
In-Reply-To: <CANUQDCh=xC5G2FS2a-jm3aKATwV1BuOhd+AQiCq7tnMUvruFcA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Modern practices ...
From: lester@lsces.co.uk (Lester Caine)

On 09/09/16 11:30, Niklas Keller wrote:
>> Back to PEAR ... what happens if I simply install a copy of composer
>> > centrally and rename it 'PEAR'.
> 
> Why rename it to PEAR? It's a different tool. Just call it Composer as it's
> named.

My point was just that as has already been established. composer can do
the same thing as PEAR. All that matters is that everybody is working
from the same global installation. The composer.json/composer.lock that
controls a particular installed application is secure to that
application not an individuals account.

>> > composer.phar simply gets installed
>> > centrally and any new tech has access without having to install their
>> > own copy.
> 
> That's entirely fine as said. New tech should still install their own
> version of the repository and install the dependencies there.

Then you have never had a full security audit of your systems! A new
user should NEVER install their own version of anything relating to the
running system. THAT is a potential hole in the security of the system.
The new user should simply be given access to the locked down code
already installed.

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk