[wp-trac] [WordPress Trac] #42824: Add https://github.com/WordPress/WordPress to packagist
WordPress Trac
noreply at wordpress.org
Thu Dec 7 14:06:22 UTC 2017
#42824: Add https://github.com/WordPress/WordPress to packagist
-------------------------+----------------------
Reporter: kkoyan | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: General | Version:
Severity: normal | Resolution: invalid
Keywords: | Focuses:
-------------------------+----------------------
Comment (by kkoyan):
This is what I originally thought of using, but (no offence to the great
work and intentions of Johnpbloch), it is a security issue having code
that goes through the bottleneck of a single developer. Aka, if the owner
of that github account had bad intentions, they could modify core code
before shipping it.
Currently to overcome this risk we have our own registry that does the
same thing and delivers a package of wordpress that we can use to install
via composer: https://p4-composer-
registry.greenpeace.org/#greenpeace/planet4-wordpress-upstream
Again, it is great for us, but for any third party it is an untrusted
source.
But I am looking into stopping our own registry alltogether and just use
wpackagist and packagist for everything. (in which case a package from the
core would be the one I would trust to use).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42824#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list