What ensures that this is a secure way to install php extensions? #868
Replies: 1 comment 1 reply
-
|
I think you have these options:
What so you mean? Would you like me to reassure you that I won't do anything harmful? Sure, I reassure you about that. But my reassurance doesn't change the fact that you still have to trust me. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the reply. Those are both good options. I will do number 1, while also doing a version of number 2. I decided to just pull the script locally so it is always available.
Totally. I guess I was wondering if there happened to be some kind indepedent evaluation performed. But I totally understand the limits of open source and I don't mean to put your credibility into question at all. This is a fantastic project and has greatly simplified what I was working on. So you have my thanks! |
Beta Was this translation helpful? Give feedback.
-
I want to keep security in mind when developing our application docker images - what is the security story around trusting this specific script?
Imagine a maintainer decides to do something nefarious and we install the latest version from github. That script will run directly in our production image. Is this just a risk that we should accept for the convenience, or is there a policy / or some reassurance that we can lean back on?
I hope this doesn't come across the wrong way - the script is great and in my testing is much easier than doing manual installations myself. I'm just considering whether it is worth introducing that risk into our build process.
Thanks
Beta Was this translation helpful? Give feedback.
All reactions