Bundle the Standalone Binary into This Package's Distribution #227
Comments
|
I would be interested in working on this, but would probably need a little bit of direction (in particular into what the process should look like for bundling the binary) It was mentioned on Slack that Pact-JS already does this bundling in its beta version, but I haven't been able to see how this works from a quick cursory look. If the process would be the same here as there some direction as to how Pact-JS is doing it would be wondeful |
|
Hi @Grunet Not sure if you would still be up for this, I think this could be a good idea, we see the same supply chain considerations from our users in pact-js land, and packaging the ffi binaries in the distributable would be a good idea or at least an option for a fat package with everything in, and a thin package with a downloader, or the option for a user to provide their own. @tienvx has been doing some work in porting pact-php to the FFI backed core, there may be appetite in moving some of the ruby standalone functionality out into a seperate php project so might be something cool to hack on see below for context |
|
How worried are people about the size of the package from packagist? |
I'm unfortunately no longer working at the place that was concerned about this and am a little out of touch with PHP personally as a result. I doubt I'd be able to work on this well now sadly. |
|
No worries my friend, totally appreciate that and all the best in your new adventures :) |
Currently, this package will download the standalone binary for the mock server from the pact-ruby-standalone repo's Github releases at runtime (if it isn't already present locally), just after the "start" command is issued on the MockServer instance from PHP.
This leaves an extra opening for this package to be subject to a security supply chain attack (e.g. similar to the codecov one, where a malicious actor could compromise the Github releases the binary is downloaded from, and then subsequently compromise all consumers of this library downloading and executing it).
Instead, if the binary were bundled into this package, that would remove that avenue of attack, improving the security of this package (there would still be other methods of compromise as the recent ua-parser-js hack shows, but the risks would be equivalent between this package and others rather than this being distinctly more risky)
The text was updated successfully, but these errors were encountered: