From 69bbe0918d6ddbd16515eda21ae8fa87f19a9e23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draic=20Brady?= Date: Sun, 2 Mar 2014 18:24:03 +0000 Subject: [PATCH] Minimal documentation updates --- doc/00-intro.md | 12 +++++++++++- doc/03-cli.md | 24 ++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/doc/00-intro.md b/doc/00-intro.md index 4eeabddf2..974691cf5 100644 --- a/doc/00-intro.md +++ b/doc/00-intro.md @@ -121,7 +121,9 @@ composer.phar: C:\Users\username>cd C:\bin C:\bin>php -r "readfile('https://getcomposer.org/installer');" | php -> **Note:** If the above fails due to readfile, use the `http` url or enable php_openssl.dll in php.ini +> **Note:** If the above fails due to readfile, enable php_openssl.dll in php.ini. +> You may use the http URL, however this will leave the request susceptible to a +> Man-In-The-Middle (MITM) attack. Create a new `composer.bat` file alongside `composer.phar`: @@ -152,6 +154,14 @@ run this instead: Following the [example above](#declaring-dependencies), this will download monolog into the `vendor/monolog/monolog` directory. +> **Note:** Composer will attempt to protect all HTTPS requests using SSL/TLS. It +> implements peer verification using a certificate bundle, either one installed on +> the local system or a copy distributed with Composer. You may also pass the path +> to a bundle using the --cafile option for most commands. While you can also +> disable peer verification by passing the --disable-tls option, this is not +> recommended and will leave all downloads susceptible to Man-In-The-Middle (MITM) +> attacks. + ## Autoloading Besides downloading the library, Composer also prepares an autoload file that's diff --git a/doc/03-cli.md b/doc/03-cli.md index 3e9ae78e2..9b37ed71d 100644 --- a/doc/03-cli.md +++ b/doc/03-cli.md @@ -88,6 +88,8 @@ resolution. * **--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run so it is currently not done by default. +* **--disable-tls:** Display SSL/TLS peer verification. +* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification. ## update @@ -125,6 +127,8 @@ You can also use wildcards to update a bunch of packages at once: lock file being out of date. * **--with-dependencies** Add also all dependencies of whitelisted packages to the whitelist. So all packages with their dependencies are updated recursively. +* **--disable-tls:** Display SSL/TLS peer verification. +* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification. ## require @@ -151,6 +155,8 @@ to the command. terminals or scripts which don't handle backspace characters. * **--update-with-dependencies** Also update dependencies of the newly required packages. +* **--disable-tls:** Display SSL/TLS peer verification. +* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification. ## global @@ -183,6 +189,8 @@ You can also search for more than one term by passing multiple arguments. ### Options * **--only-name (-N):** Search only in name. +* **--disable-tls:** Display SSL/TLS peer verification. +* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification. ## show @@ -220,6 +228,8 @@ specific version. * **--installed (-i):** List the packages that are installed. * **--platform (-p):** List only platform packages (php & extensions). * **--self (-s):** List the root package info. +* **--disable-tls:** Display SSL/TLS peer verification. +* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification. ## depends @@ -284,6 +294,8 @@ you may have to run the command with `root` privileges * **--rollback (-r):** Rollback to the last version you had installed. * **--clean-backups:** Delete old backups during an update. This makes the current version of composer the only backup available after the update. +* **--disable-tls:** Display SSL/TLS peer verification. +* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification. ## config @@ -368,6 +380,8 @@ By default the command checks for the packages on packagist.org. * **--keep-vcs:** Skip the deletion of the VCS metadata for the created project. This is mostly useful if you run the command in non-interactive mode. +* **--disable-tls:** Display SSL/TLS peer verification. +* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification. ## dump-autoload @@ -406,6 +420,11 @@ problems. $ php composer.phar diagnose +### Options + +* **--disable-tls:** Display SSL/TLS peer verification. +* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification. + ## archive This command is used to generate a zip/tar archive for a given package in a @@ -525,6 +544,11 @@ By default it points to $COMPOSER_HOME/cache on \*nix and OSX, and This env var controls the time composer waits for commands (such as git commands) to finish executing. The default value is 300 seconds (5 minutes). +### COMPOSER_CAFILE + +By setting this environmental value, you can set a path to a certificate bundle +file to be used during SSL/TLS peer verification. + ### COMPOSER_DISCARD_CHANGES This env var controls the discard-changes [config option](04-schema.md#config).