Following up on composer security, @padraicb has a bunch of pull requests to improve the codebase:
http://blog.astrumfutura.com/2014/03/thoughts-on-composers-future-security/
" Composer should now operate with SSL/TLS protections out of the box. "
Its also a good roundup of the weaknesses found in TLS over the last two years. He also talks about how to manage package signing.
On 02/21/2014 07:51 AM, David Mitchell wrote:
http://blog.astrumfutura.com/2014/03/thoughts-on-composers-future-security/
" Composer should now operate with SSL/TLS protections out of the box. "
Its also a good roundup of the weaknesses found in TLS over the last two years. He also talks about how to manage package signing.
On 02/21/2014 07:51 AM, David Mitchell wrote:
Correction: I misread the Packagist.org stats. The repository contains 24,492 packages with 87,349 total versions.--
I hit the "post" button too quickly.
David
On Friday, February 21, 2014 7:43:29 AM UTC-5, David Mitchell wrote:Hi Oscar,
Thanks for pointing this out.
I think that composer is great, and I use it a lot in PHP projects.
I recently heard a talk at the Java Users' Group (NOVA JUG) on a similar problem with maven. The focus of the talk was using frameworks and libraries with known vulnerabilities. Some frameworks and libraries are not regularly updated, and some use old versions of libraries with known vulnerabilities. This is a big problem, especially if you run your code with super user privileges (see #9 in the top 10 vulnerabilities in https://www.owasp.org/index.php/Top_10_2013-Top_10 ). The solution proposed was to manage your own maven repo so that you have a golden repo at a point in time. Sonatype (http://www.sonatype.com/) has such a solution for maven.
By the way, Maven Central has 260,000 artifacts and serves 70 millions downloads every week (http://blog.sonatype.com/2010/12/now-available-central- ). Packagist.org has 142 million packages (24,492 packages with 87,349 versions) and about 160 million downloads a month (https://packagist.org/download-statistics-for-oss- projects/ statistics ).
David
On Thursday, February 20, 2014 4:31:34 PM UTC-5, Oscar Merida wrote:Hey folks,
If you use composer to install dependencies, you should be aware that
you should be checking what its actually downloading when you run
composer install. See this post here:
http://blog.astrumfutura.com/2014/02/composer-downloading- random-code-is-not-a-security- vulnerability/
-Oscar
You received this message because you are subscribed to the Google
Group: "Washington, DC PHP Developers Group" - http://www.dcphp.net
To post, send email to washington-dcphp-group@googlegroups.com
To unsubscribe, send email to washington-dcphp-group+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/washington-dcphp-group?hl=en
---
You received this message because you are subscribed to the Google Groups "Washington, DC PHP Developers Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to washington-dcphp-group+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
0 comments:
Post a Comment