N
N
Nikita2015-08-17 19:16:44
PHP
Nikita, 2015-08-17 19:16:44

How correct is it to use forks for composer git in your project?

There is a project that will be developed for a long time and supported for several years. This project uses and regularly updates several ready-made modules installed via composer.
The question arose, what if the developers or someone with rights or one of those modules just want to and upload malicious code (eg rm -rf /) and after the next update everything will be very bad. What to do in this case? The obvious solution is to fork all these third-party modules and, as they are updated, clone them yourself, checking them first. But how correct is this and are there other solutions to such a problem?
PS I didn't find similar topics on the net, maybe because of the lack of competence in this and I just don't know what to look for.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
N
nonlux, 2015-08-17
@bitver

Alexey Ukolov +1
Let's draw an analogy with the idealized algorithm of the FSTEC for a software license with state. secret
1. A certain version of the software is taken
2. A full audit of the code is carried
out 3. This version of the software receives a license
But think about how to work on a PC in a state secret, you need to check the entire software stack
So just forget about this paranoia.
Think:
1. the web server, php, git are made by the same people
2. The second people build it for the OS you use
3. The hardware administrators on your hosting are third people
4. The backbone network administrators are the fourth
Enemies around.
You can audit all third party code, but you're more likely to write a huge hole in your application where any user would rm -fr.
And in order to surround yourself with negligent foreign developers, test your code, test the application in an isolated environment (in a container), and only then throw everything on the production server

D
Dmitry Entelis, 2015-08-17
@DmitriyEntelis

Taking into account the fact that there is a repository cutting functionality on the github and both the owner and the administration can use it, in my opinion the only reasonable solution is to download the entire project code to your own repository. Forking at the same time or just copying the files is the tenth thing.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question