A lot of people do a lot of things wrong. In my opinion, it's better to
create simple things that are easy to learn to use correctly - as opposed
to creating complex things that supposedly shield you from making mistakes.
Often such things provide only a false sense of security - and usually you
can break them and hurt yourself anyhow.
Most server side components have some kind of client side footprint - URLs
or HTML class names etc which can be used to figure out what you're running.
I really don't think it's within the scope of this specification to teach
OWASP 101? Package names are obviously revealed in the URLs - it's hardly a
hidden detail, it's basically the whole concept.
In my opinion, there is no security problem inherent in this idea, unless
you create one.
On Oct 17, 2016 9:30 PM, "Sven Sauleau" <sven.saul...@gmail.com> wrote:
> Using this standard, people can know what packages you are using because
> of its predictable paths. Some packages are running server-side code as
> well as exposing public assets.
> I said (in the comments of the gist) that exposing stuff is the
> responsibility of the developer. I’m sure some people will be confused and
> disclose informations they shouldn’t (as mention by Fabien).
> Le lundi 17 octobre 2016 16:43:25 UTC+9, Rasmus Schultz a écrit :
>> I wrote a draft for a simple scheme for the inclusion of static assets in
>> (Composer) packages.
>> Not submitting this or anything, just dumping it here to start a
>> discussion :-)
> You received this message because you are subscribed to a topic in the
> Google Groups "PHP Framework Interoperability Group" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> To unsubscribe from this group and all its topics, send an email to
> To post to this group, send email to email@example.com.
> To view this discussion on the web visit https://groups.google.com/d/
> For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "PHP
Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.