On Wed, Jun 11, 2014 at 11:05 AM, Zack Weinberg zackw@cmu.edu wrote:
Well, it makes *me* wince because you're directing people to pull code over the network and feed it straight to the PHP interpreter, probably as root, without inspecting it first. And the site is happy to send it to you via plain HTTP, which means a one-character typo gives an active attacker a chance to pwn your entire installation.
It's over HTTPS. As long as you trust that getcomposer.org is the domain you are looking for, this is really no different than installing via a package manager.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science