Skip to main content

Replied to a post on github.com :

My €0.02 is that including dependencies in the binary are preferable as it gives you everything ready to go and there's less chance of tampering.

Git submodules are next preferable because since it's a tool you're likely to have installed and you can peg modules to a known release.

Composer in my view is convenient (although not that convenient because you still have to install composer), but it scares the shit out of me because literally the first thing they tell you to do is "Please download and run this unverified script directly off the internet, but trust us it'll be *fiiiiiiine*".

Or as I said in my previous comment, "wget rootkit.php"