Deployer: Provide deployer.phar as release asset on github
As already mentioned in #940 supporting phive as installer would be a nice thing. Since phive comes now with the --force-accept-unsigned flag it can install pretty much any tool that provides a phar file as release asset on Github. For example it's possible to install composer via phive right away with:
phive install --force-accept-unsigned composer/composer
as composer uploads a phar file to each release: https://github.com/composer/composer/releases/tag/1.10.1
dnaber-de
All 6 comments
We tried out phive in our company.
It is a good way to install dependencies that you do not want to have in your composer.json.
But we decided not to go this way.
The problem with phive is, that it relies on keyservers to check download integrity.
This is a good and secure way, and phive also added more keyservers some month ago.
But the problem with this is, that the keyservers need to be up and available each time a developer wants to install software.
This also happens during deployment.
And keyservers are not very stable.
Our customers would love me when they hear the sentence: "no, I can't deploy now, because a keyserver is down".
There already is a dist distribution without dependencies that you can integrate in your project: https://packagist.org/packages/deployer/dist
This is a far more stable way then relying on phive.
ThomasNegeli
on 19 Mar 2020
As I wrote in the ticket, Phive provides a flag that bypasses key verification and just downloads a .phar assigned to a Github release.
dnaber-de
on 19 Mar 2020
I think now the deployer release process complicated enough. First, it should be simplified.
antonmedv
on 26 Apr 2020
We have a lot of misunderstandings here.
- the keyservers are needed 1脳 at the very beginning to get the public part of the signing GPG key, the key is then saved to
~/.phive - Composer is designed to distribute/manage PHP source code not PHAR files
- Phive is the tool to distribute PHAR files
- it is much more difficult to have
deployer/distthan uploading a PHAR file and a signature to this very repo's releases as assets
szepeviktor
on 25 Jul 2020
- the keyservers are needed 1脳 at the very beginning to get the public part of the signing GPG key, the key is then saved to ~/.phive
Good to know.
- Composer is designed to distribute/manage PHP source code not PHAR files
This is try, but it can distribute phar files as well. See deployer/dist.
- Phive is the tool to distribute PHAR files.
This is a fact.
- it is much more difficult to have deployer/dist than uploading a PHAR file and a signature to this very repo's releases as assets
It is not much more difficult. It's a little bit more complicated, but it鈥檚 already implemented and working.
Again, my point is what I don't want to rush into new release process/tool. Let鈥檚 wait to see how it will be adopted by the community.
antonmedv
on 26 Jul 2020
how it will be adopted by the community.
I'm working on making phive popular!
szepeviktor
on 26 Jul 2020
Related issues
antonmedv
路
5Comments
dima-stefantsov
路
4Comments
exts
路
3Comments
ElForastero
路
3Comments
ovaiskhan11
路
4Comments
Most helpful comment
We tried out phive in our company.
It is a good way to install dependencies that you do not want to have in your composer.json.
But we decided not to go this way.
The problem with phive is, that it relies on keyservers to check download integrity.
This is a good and secure way, and phive also added more keyservers some month ago.
But the problem with this is, that the keyservers need to be up and available each time a developer wants to install software.
This also happens during deployment.
And keyservers are not very stable.
Our customers would love me when they hear the sentence: "no, I can't deploy now, because a keyserver is down".
There already is a dist distribution without dependencies that you can integrate in your project: https://packagist.org/packages/deployer/dist
This is a far more stable way then relying on phive.