-
-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate with PhiVE for installing Composer #5155
Comments
As PHIVE is still in alpha, I think it is a bit premature to start looking into this. :-) |
Composer left alpha a month ago 😉 |
There are also other alternatives, like https://github.com/ellotheth/pipethis
Composer doesn't actually use the release feature I think, only the tags. But the tags contain the source, not the phar binary. It probably would make sense to attach binaries to the releases, perhaps that can be used to distribute the phars? (And maybe Github will extend GPG support for release binaries some day, so it becomes some kind of standard and the signature can be viewed online like in https://github.com/blog/2144-gpg-signature-verification) |
Maybe some day but right now I just invested a lot of time in making sure we don't blindly pipe into php and that we have signatures and that all that works without the hassle of GPG, so my motivation to deal with this isn't at the highest I have to admit :) |
I don't think Phive can easily be used on Windows / Mac : https://github.com/phar-io/phive/blob/1ff73fbbf6bc53224a320583ef018e4a6c66dae8/src/shared/config/Config.php#L59 The tool mentioned by @barryvdh relies on a go library. It can probably work without this hard requirement for other OS than Linux, I've opened a ticket to ask (ellotheth/pipethis#11). |
well i just wanted to open a ticket to request an option in composer to install just phars instead of sources files via composer (similar to phive) but into 'vendor/bin` this would allow to ship binaries of phpmd or similar stuff, without having the classes in the autoloader 😄 |
It is not necessary to use the GitHub release process. "just" GPG .asc signatures have to be made available. Are they maybe already? Would it be possible? |
@Seldaek how do you feel about doing this? Signing the phars it not a lot of additional work. But someone has to do it. Probably would be wise to use a dedicated Composer GPG key, not a personal one (or not, I don't know what is preferable here?). |
I am already signing the phars, just not using GPG. So I guess I could add one more signature to the release process and push that out to the github release. Don't really wanna have travis do that part. I'll investigate. |
Fixed by 44dc3c2 - as of https://github.com/composer/composer/releases/tag/2.0.3 releases will be signed. I just tried to install it via phive and it works now without |
As @shochdoerfer pointed out in the this comment it's probably a good idea to support PhiVE as an additional way to securely install Composer.
From their website:
And since we already have Github releases for composer it should not be too much work to claim an PhiVE alias.
The text was updated successfully, but these errors were encountered: