

Show HN: PHPUnit doesn't sign its PHAR - sarciszewski
https://github.com/sebastianbergmann/phpunit/issues/1334

======
sarciszewski
Okay, I just _have_ to share this with HN.

I think Test-Driven Development is a neat idea. Truly. But it's depressing to
think that all of the developers who sing its praises, nobody has ever
thought, "Hey, before blindly running a .phar on my machine (that probably has
incredibly valuable proprietary source code for Company X), I should verify
the integrity of the package."

You know, because nobody has ever thought to hack the endpoint and modify the
file on the server before?

~~~
krapp
I wish I knew more about .phar security in general...

