[ciapug] phar

[Tony Bibbs]

Keep in mind the new version of PEAR will use Phar's and PEAR packages already know plenty about their version (and other package meta data).  That said I don't see how this is as big of a problem until you deal with non-PEAR packages like the ones in the Zend Framework (don't get me started).  One thing worth noting Phar's are opcode cache friendly.

--Tony



----- Original Message ----
From: Colin Burnett <cmlburnett at gmail.com>
To: Central Iowa PHP Users Group <ciapug at cialug.org>
Sent: Tuesday, September 2, 2008 7:10:13 PM
Subject: Re: [ciapug] phar

On Tue, Sep 2, 2008 at 2:19 PM, Eric Junker <eric at eric.nu> wrote:
> Has anyone had a chance to play around with phar?
> http://us.php.net/phar

I have to admit that my first response was: oh my god..... *gasp*.

Reading some of the details it seems basically like a rip-off of
Java's JAR.  Files plus manifest with optional signature.  Except
JAR's signature cryptographically ensures the integrity where as
phar's signature is basically just a checksum (which I see no reason
why it couldn't be maliciously changed).  I don't know java nor JARs
so that's from my understanding of wikipedia.

I look forward to the Wikipedia article on "phar hell" to match JAR
hell and DLL hell.  Especially since there's nothing in the phar to
indicate version of the contents.  It would appear the PHP team
learned nothing of DLL hell (I hope they've heard of it otherwise
history *will* repeat itself again) and why .NET has assemblies and a
GAC.

When you reinvent the wheel...don't forget the axle!


Colin
_______________________________________________
ciapug mailing list
ciapug at cialug.org
http://cialug.org/mailman/listinfo/ciapug