Closed MacDada closed 11 months ago
phive install composer
:-)
phive install composer
:-)
yep, I know I can do that… I wanna do that… but my questions remain :P
Download Script:
I'm not sure I understand why people even bother checking a hash. The only thing this protects against is a corruption during transfer - something that with TLS is extremely unlikely to happen. Given anybody can create a hash - why ever it's having a .sig
extension, it's not a signature -, there is no inherent security in it.
So in that regard, phive's approach is superior to that simple download script. Composer used to provide an openssl signature, which is close to equally useless as the openssl key does not provide any identity information and thus the only thing that could be asserted was that the archive has been signed by the key.
And Phive isn't using itself to install composer simply because I never updated the build setup properly. Composer did not publish gpg signed releases for quite a long time and only somewhat recently changed that (back in October 2020). I'm not even convinced the build.xml
would currently work anywhere but on my system.
I'm not sure I understand why people even bother checking a hash.
The script is what Composer recommends in its docs: https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md#how-do-i-install-composer-programmatically-
phive's approach is superior to that simple download script
Cool. Go Phive! 👍
Phive isn't using itself to install composer simply because I never updated the build setup properly.
That's what I suspected, but it never hurts to ask to be sure. Thanks!
I know they (still) advertise it. That doesn't make it any less pointless ;-)
This is the script that currently downloads Composer into my project:
Is is a good idea to get rid of the script above -> and download Composer using Phive?
It makes logical sense to me, as Composer is just "yet another tool" that my project needs, while Phive is the tool to manage project tools.
I'm sensing that there might be some kind of downside, as the Phive project itself is not doing that [?]:
tools
folder in build.xmlSo, another question would be: how does Composer get into the
tools
dir, while not being downloaded by Phive? And why not? Am I missing something?