Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

removed self updater and extended installation documentation #177

Merged
merged 2 commits into from
Oct 31, 2018
Merged

removed self updater and extended installation documentation #177

merged 2 commits into from
Oct 31, 2018

Conversation

smoench
Copy link
Contributor

@smoench smoench commented Oct 9, 2018
edited

Closes #173

@smoench smoench mentioned this pull request Oct 9, 2018
Closed
@timglabisch
Copy link
Collaborator

i am 👎 because:

  1. phive is not popular. Most deptrac users have to learn about phive.
  2. phive is "under heavy development".
  3. something like "--force-accept-unsigned" is the worst of all worlds in case of security.

are there any pros?

i would prefer providing a docker image.

feel free to overvote me.

@timglabisch timglabisch self-requested a review October 9, 2018 18:59
@theofidry
Copy link
Contributor

I personally feel like Deptrac is unnecessarily too opinionated about the way it is being installed, cf. the discussion about being installed as a Composer package.

That said, I agree with the current state of phive (as much as I appreciate the tool). So whilst I agree with adding an installation entry for it, I wouldn't put it as "recommended".

something like "--force-accept-unsigned" is the worst of all worlds in case of security.

@timglabisch I don't know if your comment was about the wording, but there is no security issue per se. It means your PHAR is not signed with a GPG key (as an artefact, not using the PHAR built-in signing feature which is useless) but it is downloading it over HTTPS still which is pretty much the only think you can do at that point.

i would prefer providing a docker image.

Side note, you can try $ box docker or $ box compile --with-docker, it will generate a boiler template Dockerfile for your PHAR.

@timglabisch
Copy link
Collaborator

I personally feel like Deptrac is unnecessarily too opinionated about the way it is being installed, cf. the discussion about being installed as a Composer package.

That said, I agree with the current state of phive (as much as I appreciate the tool). So whilst I agree with adding an installation entry for it, I wouldn't put it as "recommended".

👍

It means your PHAR is not signed with a GPG key (as an artefact, not using the PHAR built-in signing feature which is useless) but it is downloading it over HTTPS still which is pretty much the only think you can do at that point.

thanks for clarifying that.

@smoench smoench changed the title removed self updater and recommend phive as installation tool removed self updater and extended installation documentation Oct 17, 2018
@smoench
Copy link
Contributor Author

smoench commented Oct 17, 2018

I removed the recommendation for phive. Feel free to review again :)

@timglabisch
Copy link
Collaborator

i would prefer to keep the self-update until we've something better.

@smoench
Copy link
Contributor Author

smoench commented Oct 17, 2018

I think we should switch to tagged versions as we could easily updating dependencies and refactoring code. Using the latest master build for self updating would break people's pipelines. Yes, I'm using deptrac in my pipelines!

@smoench
Copy link
Contributor Author

smoench commented Oct 31, 2018

The self-updating mechanism will be replaced by #185 which will be available with the upcoming release.

@smoench smoench merged commit 74bd91a into master Oct 31, 2018
@smoench smoench deleted the remove-self-updater branch October 31, 2018 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DavidBadura DavidBadura DavidBadura approved these changes

@timglabisch timglabisch Awaiting requested review from timglabisch

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@smoench @timglabisch @theofidry @DavidBadura