What about rolling releases?

[sagikazarmark]

Like composer? It is unlikely that you can pin point a specific release with a signature? Will those ever be supported?

[theseer]

If it's a release, it has to have a signature. The only thing we can potentially argue about is how the "version" is to be specified. For now phive assumes a semantic version identifier. I do realize this may not apply for all phars we would want to install.

Independet from that, every release should be verifiable. If the developers of composer (or any other tool for that matter) do not provide any means to verify their releases, maybe that should be considered a bug in their release process. As long as they ask their users to directly pipe a downloaded script into execution, that's the least of their problems though ;)

[sagikazarmark]

I agree that a version should be identifiable. For example composer uses the actual commit hash of the build I think.

I am not sure however how a release cycle like this could integrate with phive. Since it has a more frequent release cycle, some automatization would be necessary otherwise it would be a hassle to register the release in the repository every time.

[theseer]

Yes, composer uses the commit hash (which imho is about the worst choice for an identifier one could possibly pick).

But you're perfectly right, manual registration is definitely not an option and we already have phar-site-generator to generate the repository information file (used for instance at phar.phpunit.de) and there's issue #22. There are of course more options, all we need is a pointer to get data from.

[sagikazarmark]

:+1:

[theseer]

We do need something that identifies a release. For now, that something is a semantic version number.

I don't see anything for us to implement here. At least until there is an actual use case we could look into.