Can we kill the subthread dealing with the awful "pipe the output of curl to php" install for composer? It's evilness is not really on topic (not until we start writing suggested install directions in the wiki). As Chad noted, there are sane-sysadmin ways to install composer. I think it would be more productive to continue discussing how we want to handle third-party dependencies, rather than arguing over install instructions. --scott
On Wed, Jun 11, 2014 at 11:21 AM, Tyler Romeo tylerromeo@gmail.com wrote:
On Wed, Jun 11, 2014 at 11:05 AM, Zack Weinberg zackw@cmu.edu wrote:
Well, it makes *me* wince because you're directing people to pull code over the network and feed it straight to the PHP interpreter, probably as root, without inspecting it first. And the site is happy to send it to you via plain HTTP, which means a one-character typo gives an active attacker a chance to pwn your entire installation.
It's over HTTPS. As long as you trust that getcomposer.org is the domain you are looking for, this is really no different than installing via a package manager.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l