Jump to content

Talk:Requests for comment/Streamlining Composer usage

From mediawiki.org

< Talk:Requests for comment

Latest comment: 10 years ago by MModell (WMF) in topic Composer security

This page used the Structured Discussions extension to give structured discussions. It has since been converted to wikitext, so the content and history here are only an approximation of what was actually displayed at the time these comments were made.

Review of stated problems

Latest comment: 10 years ago1 comment1 person in discussion

I'm not sure that I agree with any of the stated problems other than https://phabricator.wikimedia.org/T88211

Double review seems theoretical
Autoloader updates are automated by composer in either case
Cross extension dependencies are not solved by automating Composer builds are they?

Am I incorrect in this analysis? BDavis (WMF) (talk) 22:20, 5 August 2015 (UTC)Reply

Composer security

Latest comment: 10 years ago1 comment1 person in discussion

According to https://github.com/composer/composer/issues/38 it would appear that composer does have some rudimentary verification of downloaded tarballs, in the sense that packagist publishes an sha of the download and then composer verifies that the file downloaded from github matches that hash. MModell (WMF) (talk) 22:36, 5 August 2015 (UTC)Reply

Retrieved from "https://www.mediawiki.org/w/index.php?title=Talk:Requests_for_comment/Streamlining_Composer_usage&oldid=7118847"