Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95849 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 25038 invoked from network); 9 Sep 2016 11:35:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Sep 2016 11:35:23 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.67 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 74.125.82.67 mail-wm0-f67.google.com Received: from [74.125.82.67] ([74.125.82.67:35311] helo=mail-wm0-f67.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BC/E4-61313-97E92D75 for ; Fri, 09 Sep 2016 07:35:21 -0400 Received: by mail-wm0-f67.google.com with SMTP id a6so2350515wmc.2 for ; Fri, 09 Sep 2016 04:35:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lN2ZSEEg0BPV4FdH6cj3BpsVfcdaiVRXb+WUva75WO8=; b=gkDaw/Bpo2dI05KPGB4pje84T24RVdes7sQs8i1gj5fXNYRUnk0ec12PxFW7ellhPr o/tgqvxTiqHiHLUJeME39PSgxblJoNszz5FSrwfTrvQLKMZMtLuy1NBQTAK0LveQ54CT RFymQvHa5lBwwpneCU2J/TV/0Y730yhwEDGyUK22Jz42/no0G4OzQujayor65ySlrRMg PCltSwx/THPjNBxj4Vt1aHwat0P8hIPOoCz2O7vWkXj+AJZpoN5XWpAhgpvY4LJseMNF IalqdmUh88/DT99uleMFx+RnxRI2qti6xLOXQ3gVYIy4wbTn0kw/qi/wBdl/Rym6pwG2 fm/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lN2ZSEEg0BPV4FdH6cj3BpsVfcdaiVRXb+WUva75WO8=; b=R8sYGJDyVcqcUjND1kvuPIPxwlpQOZzVoJARjTOWveZMiynWrpBVnYu1KXSHeSMZNh pZpXarEUPEvxPfrSVXdtsyE8d/1DXk2lIIJ4khJN6rjahFXkaA6O5/L+Y9OsIqJYrIE6 GAoH1MAj7fA+D5Y100c9QrcISNznloeyiKUx+iaIL/aQt+1Xyjwg0geyRlp73mdS1wfw tawI/ih4IcoWNHRCH1CXnjwveh+cO/QvMBSmpWIp4iyJ+0bsHdnsL1IhKpScp836aEp2 ZZz7jJxIyN+EviEP/REyiZ5Ueggue7L/9Q7ijzn7nbzbZmGxjBf1c6ih/AuurQIY4wgx 61uA== X-Gm-Message-State: AE9vXwO9pcrSpGyrJV7Rcs/BBzRMUbqE3Nc5I/ATJ6BKKUlYKi/YcXbbzjkVH2CR6rd+R4xIiasafn8syjnAJw== X-Received: by 10.194.110.229 with SMTP id id5mr2630981wjb.23.1473420918703; Fri, 09 Sep 2016 04:35:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.42.165 with HTTP; Fri, 9 Sep 2016 04:35:17 -0700 (PDT) In-Reply-To: References: <616bb9ff-bcd1-fd70-b251-05b280b5003e@lsces.co.uk> Date: Fri, 9 Sep 2016 13:35:17 +0200 Message-ID: To: Lester Caine Cc: PHP Internals Content-Type: multipart/alternative; boundary=089e0102d85e770b2b053c118a93 Subject: Re: [PHP-DEV] Modern practices ... From: tyra3l@gmail.com (Ferenc Kovacs) --089e0102d85e770b2b053c118a93 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Fri, Sep 9, 2016 at 1:00 PM, Lester Caine wrote: > On 09/09/16 11:30, Niklas Keller wrote: > >> Back to PEAR ... what happens if I simply install a copy of composer > >> > centrally and rename it 'PEAR'. > > > > Why rename it to PEAR? It's a different tool. Just call it Composer as > it's > > named. > > My point was just that as has already been established. composer can do > the same thing as PEAR. All that matters is that everybody is working > from the same global installation. The composer.json/composer.lock that > controls a particular installed application is secure to that > application not an individuals account. > usually what's best it that you learn the new tool and apply it to your use case instead of trying to make it work the same way as your previous tool blindly. > > >> > composer.phar simply gets installed > >> > centrally and any new tech has access without having to install thei= r > >> > own copy. > > > > That's entirely fine as said. New tech should still install their own > > version of the repository and install the dependencies there. > > Then you have never had a full security audit of your systems! A new > user should NEVER install their own version of anything relating to the > running system. THAT is a potential hole in the security of the system. > The new user should simply be given access to the locked down code > already installed. > > not sure I understand who is a user in that example. are you arguing that your developers shouldn't ever be allowed to change code? (allowing them to install dependencies is basically the same as allowing them to change code) if that's true why would you have developers in the first place? changing code is fine, as long as you can audit those changes before it goes to production and if you can make sure that the audited code will be the same that goes to production. the current industry best practice is to separate the build and deployment steps, so you can inspect and verify your application before those two steps. with composer that usually means that you won't ever execute composer install on your production machines, but installing your dependencies is part of your build process which results in an artifact (which can be anything from a directory of files, or a debian package, a docker container or an amazon AMI) which then can be inspected, installed in isolation, put through automated testing or manual QA then you can release it without any chance that it will be different from what you ispected. I'm not saying that everybody needs such complex release workflow, but you sounded as secure system would be only possible with a system wide PEAR install but not with composer or application specific dependency installation in general. but please, this is really offtopic on this list. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --089e0102d85e770b2b053c118a93--