[Security] Consider adding some information about checking Symfony signatures #4089
Comments
|
I don't think the cookbook should be in the Security section. The security section is a section about the security component. checking release checksums is totally unrelated. |
|
I agree with you about putting this cookbook in the Workflow section. Thanks for your suggestion @stof. However, I don't think that we should restrict the Security section of the Cookbook to information about the Security component (by the way, we already have a page for that: symfony.com → components → security). If we write some day an article about Symfony security checklist or How to properly configure Symfony from a security point of view or something like that, we could add it the Security section of the cookbook. |
|
@javiereguiluz the distinction between the cookbook and the component section here is that the component section describes the usage of the standalone component. The cookbook describes how to do things with the Security component and SecurityBundle in the context of the fullstack framework (for stuff whcih don't fit in the book itself). |
|
I'd really like to make it as easy as possible to do this. So either: A) Telling them to clone the https://github.com/sensiolabs/checksums repository and then run the OR B) Adding a console command (something like the proposed It's gotta be easy to do - checking signatures is confusing stuff :). This also will have limited use unless we can allow third-party libraries to sign their releases (they can sign their tags, but they can't do the archive-signing that @fabpot is doing). I just ran this on one of my projects, and 75% of the libraries came back as "unknown package". |
|
We should also have a way to make the verification work for Windows users. The checksums repo currently uses a bash script for the task, which does not play well cross-OS. |
|
The script provided is just a POC. We could rewrite it in a better way to make it compatible with Windows. |
|
@stof the cookbook doesn't group by component, but by topic. "Security" can contain any article that belongs to the Security topic. Most of them would be about the Security component, but it should not be limited to component stuff only imo. |
|
I've added a note about digital signatures in the new installation chapter. I think this is enough for now, because duplicating the original Fabien's article into the cookbook doesn't make sense to me. In addition, there are some issues in the Symfony Installer to add digital signature verification in the future. That's why I'm closing this issue because it's already fixed with all the things mentioned above. |
|
While I like your work regarding the 500 - 100 challenge and your push to close as much issues as possible, I don't agree with changing our closing policy during this period. Normally, we close issues once their related PR is merged, not when the PR is created. You should add this issue to the |
|
@wouterj sorry for that (and apologies to @xabbuh and @weaverryan too). You are right that I'm too anxious about closing issues and merging PR faster. |
|
Btw, do you know the docs are almost there already? :) https://twitter.com/wouterjnl/status/544641258334199808 |
|
@wouterj I beg to differ with your optimism. In my opinion, most of "easy picks" aren't easy at all and they won't be fixed anytime soon (some of them, never). |
|
@javiereguiluz hmm, I've gone through the list of easy picks and updated it a bit. It now only contains issues that are an easy pick (that means, are fixable without deep knowledge about Symfony internals or docs). If you still spot issues in the list that don't belong to this category, please leave a comment behind in the issue. Easy picks are the issues for beginners, if there are really bad issues in it, it isn't a great start... |
|
👍 hopefully we dont need that much documentation about this topic. the problem is that this is very important and should be very simple to use. |
…fony (javiereguiluz) This PR was merged into the 2.3 branch. Discussion ---------- Rewritten from scratch the chapter about installing Symfony | Q | A | ------------- | --- | Doc fix? | yes | New docs? | yes | Applies to | all | Fixed tickets | #4122, #4089 Commits ------- 7de83a3 Replaced a "note" by a "seealso" b45c338 Imrpoved the wording of the note about using using legacy PHP 5.3 version 40d7772 Reworded the reasons why you should use Composer-based installation 2e72138 Wrapped a line to follow doc standards 7e9cd04 Display the same version number on Linux and Windows to avoid confusions 12c2557 Add an explicit command to better explain that we recommend to move symfony.phar to projects directory 12eb76e Reworded a confusing phrase b665d86 Added a note about verifying Symfony digital signatures 8f202c6 Re-added a wrongly deleted link reference c291a73 Rewritten from scratch the chapter about installing Symfony
|
It can be closed now! (btw, maybe this should be integrated into the installer?) |
symfony/symfony-installer#21 for anyone looking into this :) |
Fabien published today a very interesting article: Signing Project Releases. Is this something that we should mention in the official Symfony documentation?
If you agree, here it is my initial proposal:
The text was updated successfully, but these errors were encountered: