Page MenuHomePhabricator
Create Task
Maniphest T6012

Why doesn't Phabricator (or Arcanist, or libphutil) support Composer?
Open, NormalPublic
Actions

Description

We are not satisfied with the security model of Composer. We believe a package manager has a substantial burden to protect and inform users, and that Composer currently fails to uphold that burden.

When you type composer require package/name, you implicitly trust both packagist.org and the package owner on packagist.org, who is unverifiable and not vetted. This default chain of trust is not made obvious to many users, and the package upstream may be essentially uninvolved. The circumstances in which packagist.org makes package changes are not documented, the changes are not signed, and these changes are not auditable. Package owners on packagist.org are not verifiable, changes they make are not signed, and their changes are not auditable. There is no chain of trust between the package upstream and packagist.org. None of this is very clear to the average user.

You can find more details on a specific case of this at: https://github.com/phacility/xhprof/pull/40

We may support Composer in the future, but this upstream's attitudes toward security are currently very different from Composer's attitudes toward security.

We understand that a lot of users don't care about this, and Composer works well and is easy to use, but this is important to us.

Related Objects

Event Timeline

epriestley created this task.Sep 1 2014, 5:37 PM
epriestley renamed this task from Why doesn't Phabricator/arcanist/libphutil support Composer? to Why doesn't Phabricator (or Arcanist, or libphutil) support Composer?.
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added a project: Guides.
epriestley added a subscriber: epriestley.
epriestley updated the task description. (Show Details)Sep 1 2014, 5:39 PM
qgil added a subscriber: qgil.Sep 1 2014, 7:48 PM
glen added a subscriber: glen.Sep 1 2014, 9:14 PM
tecfu added a subscriber: tecfu.Mar 17 2015, 10:40 PM

+1 for composer install anyway.

tecfu added a comment.Mar 17 2015, 10:41 PM

You guys could always host the composer package from github and just document how to install directly from phabricator's github instead of packagist.

avivey merged a task: T7622: Use composer. .Mar 18 2015, 7:27 PM
epriestley mentioned this in T8115: arcanist plugin system.May 29 2015, 9:13 PM
epriestley mentioned this in Q129: Why are dependencies vendored into the externals directory? (Answer 155).Sep 13 2015, 8:51 PM
epriestley mentioned this in T1273: There should be a way to specify phutil library dependencies.Sep 18 2015, 9:14 PM
paladox added a subscriber: paladox.Apr 3 2016, 11:54 AM
epriestley mentioned this in T11371: Restore PHP to Glory.Jul 25 2016, 9:24 PM
epriestley mentioned this in T11393: separate the git html diff into a separate component.Jul 29 2016, 2:23 PM
J5lx added a subscriber: J5lx.Dec 3 2016, 7:17 PM
Herald added a subscriber: eadler. · View Herald TranscriptDec 3 2016, 7:17 PM
chad mentioned this in T12024: Feature request: Release arcanist as Phar package, to reduce the cost (download, redistribute, update, mantain).Dec 16 2016, 6:44 AM
epriestley mentioned this in T12617: Composer packages.json generator.Apr 21 2017, 5:20 PM
epriestley mentioned this in T9805: XHProf will not build on PHP7.Nov 29 2017, 8:57 PM
epriestley added a comment.Jan 24 2019, 4:54 PM

Not exactly related, but PEAR got compromised: https://news.ycombinator.com/item?id=18987518

See also the 35 NPM issues every week.

Phabricator · Built by Phacility