Change Details

We are not satisfied with the security model of Composer. We believe a package manager has a substantial burden to protect and inform users, and that Composer currently fails to uphold that burden. When you type `composer require package/name`, you implicitly trust both `packagist.org` and the package owner on `packagist.org`, who is unverifiable and not vetted. This default chain of trust is not made obvious to many users, and the package upstream may be essentially uninvolved. The circumstances in which `packagist.org` makes package changes are not documented, the changes are not signed, and these changes are not auditable. Package owners on `packagist.org` are not verifiable, changes they make are not signed, and their changes are not auditable. There is no chain of trust between the package upstream and `packagist.org`. None of this is very clear to the average user. You can find more details on a specific case of this at: https://github.com/phacility/xhprof/pull/40 We may support Composer in the future, but this upstream's attitudes toward security are currently very different from Composer's attitudes toward security.

We are not satisfied with the security model of Composer. We believe a package manager has a substantial burden to protect and inform users, and that Composer currently fails to uphold that burden. When you type `composer require package/name`, you implicitly trust both `packagist.org` and the package owner on `packagist.org`, who is unverifiable and not vetted. This default chain of trust is not made obvious to many users, and the package upstream may be essentially uninvolved. The circumstances in which `packagist.org` makes package changes are not documented, the changes are not signed, and these changes are not auditable. Package owners on `packagist.org` are not verifiable, changes they make are not signed, and their changes are not auditable. There is no chain of trust between the package upstream and `packagist.org`. None of this is very clear to the average user. You can find more details on a specific case of this at: https://github.com/phacility/xhprof/pull/40 We may support Composer in the future, but this upstream's attitudes toward security are currently very different from Composer's attitudes toward security. We understand that a lot of users don't care about this, and Composer works well and is easy to use, but this is important to us.

We are not satisfied with the security model of Composer. We believe a package manager has a substantial burden to protect and inform users, and that Composer currently fails to uphold that burden. When you type `composer require package/name`, you implicitly trust both `packagist.org` and the package owner on `packagist.org`, who is unverifiable and not vetted. This default chain of trust is not made obvious to many users, and the package upstream may be essentially uninvolved. The circumstances in which `packagist.org` makes package changes are not documented, the changes are not signed, and these changes are not auditable. Package owners on `packagist.org` are not verifiable, changes they make are not signed, and their changes are not auditable. There is no chain of trust between the package upstream and `packagist.org`. None of this is very clear to the average user. You can find more details on a specific case of this at: https://github.com/phacility/xhprof/pull/40 We may support Composer in the future, but this upstream's attitudes toward security are currently very different from Composer's attitudes toward security. We understand that a lot of users don't care about this, and Composer works well and is easy to use, but this is important to us.