The Composer & Packagist related security issues from the “xhprof dropped composer” debate

Yes, Composer and Packagist have long-standing security issues.

There was quite a debate going on, over at Github, after Evan Priestley decided to drop Composer support for phacility/xhprof, formerly facebook/xhprof.

The short-story: Evan is the new maintainer of xhprof. He decided against setting up his own “phacility/xhprof” package over at and dropped Composer support completely, after he found out, that Lachlan Donald (lox), who is not the maintainer of xhprof, created such a package on to provide Composer support for the community. Lachlan solved the problem of unresponsiveness of the original maintainer, facebook, to this request. Now, instead of solving a simple packagist registering problem, Evan came up with general and already known security concerns of the Composer and Packagist eco-system.

I’ve pulled out some of the issues raised in this debate:

1. How to verify the identify of a user account on
2. There isn’t any documentation on the transfer policy of packages from one user account to another.
3. How to verify that the owner of a package is someone I trust?
4. How to verify, that any changes made to the package are authorized changes?
5. Would it be possible to sign Composer packages to raise the trust level?

And now i have to hand Evan a snickers, because: you’re not you, when you’re hungry.

PHP Implementations



A PHP VM implementation in PHP

HHVM is an open-source virtual machine designed for executing programs written in Hack and PHP.

PHP Compiler for JVM

An Embedded Implementation of PHP (C Library)

PHP runtime & compiler for .NET/Mono

An implementation of the PHP language in RPython

KPHP (KittenPHP) –
VKontake PHP to C++ transformer

Roadsend PHP Compiler

Roadsend PHP Raven
Rewrite of the Roadsend PHP compiler in C++ using LLVM

php compiler

LLVM Playgrounds:

Zend ByteCode to LLVM Compiler –
(started by Nuno Lopes, not finished)

PHPUnit test error – headers already sent by phpunit.phar:2

While phpUnit-testing i got the following error:

Cannot modify header information - headers already sent by (output started at /usr/bin/phpunit.phar:2)

The solution is to redirect the phpunit output to the standard error output.

phpunit --stderr ...

Musical Note Symbol as List Bullets

How to use Unicodes for Music Note Symbols as List Bullets?

Ok, here we go. Firstly, select your desired Musical Note Symbol:

2669 = ♩
266A = ♪
266B = ♫
266C = ♬
266D = ♭
266E = ♮
266F = ♯

Secondly, add the musical note symbol as content to a li:before tag.
Instead of adding the symbol directly, you might try escaping the Unicode (“/2669″).
Thirdly, remove the default bullets by applying “list-style-type: none;” to the li tag.

Marry Netbeans and SQLite

How to add a SQLite driver as a Database Service into Netbeans for accessing SQLite database files?

  1. You will need a SQLite driver.  I suggest to use  the one from
  2. Direct Download:
  3. Start Netbeans
  4. Open the Services Window via Menu: Window -> Services (or just Ctrl+5)
  5. Expand the “Databases” node and right-click on “Drivers”.
  6. The dialog “New JDBC Driver” appears.  Click “Add…” and in the  “Select Driver” dialog, select the downloaded driver file.
  7. Click Find to scan for the proper class name.  Now  “org.sqlite.JDBC” should appear in the Driver Class text field.
  8. Give this driver a name field like “SQLite Driver”
  9. Expand the Drivers node, and you should see the SQlite entry
  10. Done!

Next question:

How do i access a SQLite database file with this thingy?

  1. Expand the Drivers node, right-click on “SQLite Driver”.
  2. Click “New Connection..”.
  3. The “New Connection Wizard” dialog appears.
  4. Specify a JDBC URL to your SQLite file, like so jdbc:sqlite://C:/folder-where-your-database-file-resides/sampledb.sqlite
  5. Done!


Next Page →