search

phar-io / phive

The Phar Installation and Verification Environment (PHIVE)
https://phar.io
BSD 3-Clause "New" or "Revised" License
571 stars 44 forks source link

Use Phive to download Composer? #413

Closed MacDada closed 11 months ago

MacDada commented 11 months ago

This is the script that currently downloads Composer into my project:

#!/bin/sh

# https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md

EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"

if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
then
    >&2 echo 'ERROR: Invalid installer checksum'
    rm composer-setup.php
    exit 1
fi

php composer-setup.php --quiet
RESULT=$?
rm composer-setup.php
exit $RESULT

Is is a good idea to get rid of the script above -> and download Composer using Phive?

It makes logical sense to me, as Composer is just "yet another tool" that my project needs, while Phive is the tool to manage project tools.

I'm sensing that there might be some kind of downside, as the Phive project itself is not doing that [?]:

So, another question would be: how does Composer get into the tools dir, while not being downloaded by Phive? And why not? Am I missing something?

theseer commented 11 months ago

phive install composer :-)

MacDada commented 11 months ago

phive install composer :-)

yep, I know I can do that… I wanna do that… but my questions remain :P

  1. Are there any downsides (compared to my downloading script)?
  2. Why the Phive project itself is not doing that? Or is it?
theseer commented 11 months ago

Download Script:

I'm not sure I understand why people even bother checking a hash. The only thing this protects against is a corruption during transfer - something that with TLS is extremely unlikely to happen. Given anybody can create a hash - why ever it's having a .sig extension, it's not a signature -, there is no inherent security in it.

So in that regard, phive's approach is superior to that simple download script. Composer used to provide an openssl signature, which is close to equally useless as the openssl key does not provide any identity information and thus the only thing that could be asserted was that the archive has been signed by the key.

And Phive isn't using itself to install composer simply because I never updated the build setup properly. Composer did not publish gpg signed releases for quite a long time and only somewhat recently changed that (back in October 2020). I'm not even convinced the build.xml would currently work anywhere but on my system.

MacDada commented 11 months ago

I'm not sure I understand why people even bother checking a hash.

The script is what Composer recommends in its docs: https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md#how-do-i-install-composer-programmatically-

phive's approach is superior to that simple download script

Cool. Go Phive! 👍

Phive isn't using itself to install composer simply because I never updated the build setup properly.

That's what I suspected, but it never hurts to ask to be sure. Thanks!

theseer commented 11 months ago

I know they (still) advertise it. That doesn't make it any less pointless ;-)