[mythtv-users] Schedules Direct DataDirect replacement service testing
Keith Pyle
kpyle at austin.rr.com
Fri Oct 3 02:40:22 UTC 2014
On 10/02/14 16:30, Tom Dexter wrote:
>
> On Thu, Oct 2, 2014 at 1:14 PM, Karl Newman<newmank1 at asme.org> wrote:
>> >On Thu, Oct 2, 2014 at 9:46 AM, R. G. Newbury<newbury at mandamus.org> wrote:
>>> >>
>>> >>Whichever way you choose to move, you WILL have to choose.
>> >
>> >
>> >I think most of us are waiting on some official word from the mythtv
>> >developers--who have been strangely silent about this topic on this list--as
>> >to which direction they are heading and if there are any official patches in
>> >the works to deal with this change.
>> >
>> >Karl
>> >
> Absolutely. Even though I'm a programmer and probably among the more
> technical MythTV users, I think I speak for many here when I say that
> the descriptions so far around using the new JSON grabber and how it
> all actually relates to MythTV itself has me completely dumbfounded.
> There hasn't even been a clear consensus on whether or not it means
> blowing away and rescanning all your sources and channels etc which
> frankly still makes no sense to me.
>
I have a slightly different concern, or two.
Piping an unknown blob from a URL into a shell isn't the safest or most
secure means of installing software. Of course, it is possible to read
a few hundred lines of php code and try to make sure it is safe - but
why? What about the packages it installs? The top hit on 'composer
integrity checks':
http://blog.astrumfutura.com/2014/02/composer-downloading-random-code-is-not-a-security-vulnerability/.
I still don't see how Composer verifies the integrity of its downloads.
Never mind, it looks like it doesn't:
https://github.com/composer/composer/issues/1074.
It appears that Composer will be managing certain packages itself.
Distributions already have their own package managers that can track
what packages are current, and Composer limits the native package
manager's ability to know what is installed. Composer bundles its own
dependencies, which also works around the native package manager. (For
those interested, Gentoo has had bug 439206 open for a couple of years
discussing Composer.)
Keith
More information about the mythtv-users
mailing list