Jens A. Koch

Composer & Packagist security issues from the “xhprof dropped composer” debate

Yes, Composer and Packagist have long-standing security issues.

There was quite a debate going on, over at Github, after Evan Priestley decided to drop Composer support for phacility/xhprof, formerly facebook/xhprof.

The short-story: Evan is the new maintainer of xhprof. He decided against setting up his own “phacility/xhprof” package over at and dropped Composer support completely, after he found out, that Lachlan Donald (lox), who is not the maintainer of xhprof, created such a package on to provide Composer support for the community. Lachlan solved the problem of unresponsiveness of the original maintainer, facebook, to this request. Now, instead of solving a simple packagist registering problem, Evan came up with general and already known security concerns of the Composer and Packagist eco-system.

I’ve pulled out some of the issues raised in this debate:

1. How to verify the identify of a user account on
2. There isn’t any documentation on the transfer policy of packages from one user account to another.
3. How to verify that the owner of a package is someone I trust?
4. How to verify, that any changes made to the package are authorized changes?
5. Would it be possible to sign Composer packages to raise the trust level?

And now i have to hand Evan a snickers, because: you’re not you, when you’re hungry.

Comments Off on Composer & Packagist security issues from the “xhprof dropped composer” debate

Comments are closed.