Jump to content

Talk:Requests for comment/Streamlining Composer usage

About this board

Review of stated problems

1
BDavis (WMF) (talkcontribs)

I'm not sure that I agree with any of the stated problems other than https://phabricator.wikimedia.org/T88211

  • Double review seems theoretical
  • Autoloader updates are automated by composer in either case
  • Cross extension dependencies are not solved by automating Composer builds are they?

Am I incorrect in this analysis?

Reply to "Review of stated problems"
MModell (WMF) (talkcontribs)

According to https://github.com/composer/composer/issues/38 it would appear that composer does have some rudimentary verification of downloaded tarballs, in the sense that packagist publishes an sha of the download and then composer verifies that the file downloaded from github matches that hash.

Reply to "Composer security"
There are no older topics