On Wed, Jun 11, 2014 at 11:05 AM, Zack Weinberg <zackw(a)cmu.edu> wrote:
Well, it makes *me* wince because you're directing
people to pull code
over the network and feed it straight to the PHP interpreter, probably
as root, without inspecting it first. And the site is happy to send
it to you via plain HTTP, which means a one-character typo gives an
active attacker a chance to pwn your entire installation.
It's over HTTPS. As long as you trust that
getcomposer.org is the domain
you are looking for, this is really no different than installing via a
package manager.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science