Composer's bug now fixed
As an update to my previous post, the composer security problem now appears fixed.
Good to see that a quick response was possible after all.
To get the latest composer, run:
My previous post was not received really well among some of the composer stakeholders, but I feel it’s important to stand my ground here.
Software is going to have security problems. There’s no shame in that. When a security problem is discovered, it is very important to handle this in a responsible manner.
Lacking a quick solution for a security problem, it could have been a wise thing to at least release a statement such as “we are aware of this, and we are working on this”. Arguing about wether this was a security problem or not is a debate I’d be happy to take on (still) but in the meantime, people are installing packages and php code that they don’t expect.
Still a huge fan of composer though. Here’s to a swiftly 1.0 version ;)