Verify hash of the downloaded file to (re)install PHP

[zetxek]

In the README it's suggested to execute:

curl -s https://raw.githubusercontent.com/ho-nl/docker-development-box/master/install.sh | bash -s -- -i

There is no validation of the remove script. It's a best practice to avoid somebody from impersonating/replacing the script that will do crucial system tasks.

References:

• https://superuser.com/a/498940/87723
• https://optimalbi.com/checking-a-checksum-cryptographic-hash-function-with-powershell-and-bash-shell/

[paales]

Fair point. It doesn't really need to be executed over the network. composer require bla/bla and running the install script from the vendor folder should work as well.. Might that be a better alternative?

[zetxek]

I think that should be already better, as the user can go and check the script themselves, and there's no risk of DNS hijacking or something like that :-)

[paales]

If you've got the time to restructure the README to make this clear, that would be appreciated.