|
|
|
|
|
|
by tottenhm
3162 days ago
|
|
|
(Full disclosure: I published https://packagist.org/packages/totten/ca-config several years ago. I like how `paragonie/certainty` will do a better job of staying up-to-date in badly configured systems. But for well configured systems, I sorta prefer the way `ca-config` defers to the system's CA.) A few clarifications/suggestions: 1. Does this verify the bundle's signature everytime one reads the bundle (ie everytime one uses `curl` + `getLatestBundle()`)? That would feel a little heavy-handed. Maybe it could check the signature everytime one downloads the bundle? 2. Does the default configuration (as written in the docs) really treat `vendor/paragonie/certainty/data` as a
writeable data-folder? So downstream developers+admins need to set pretty liberal file permissions? (Or perhaps dig-up a
way to use an alternative data directory?) Might be useful for the docs mention this. |
|
|
Yes, that's probably the direction we're going to go.
> So downstream developers+admins need to set pretty liberal file permissions? (Or perhaps dig-up a way to use an alternative data directory?) Might be useful for the docs mention this.
That's a good point. Another developer indicated they were writing a pull request to add composer post-install hooks, and I could easily add one that chmods this directory.