Composer & Packagist security issues from the “xhprof dropped composer” debate
Yes, Composer and Packagist have long-standing security issues.
There was quite a debate going on, over at Github, after Evan Priestley decided to drop Composer support for phacility/xhprof, formerly facebook/xhprof.
The short-story: Evan is the new maintainer of xhprof. He decided against setting up his own “phacility/xhprof” package over at packagist.org and dropped Composer support completely, after he found out, that Lachlan Donald (lox), who is not the maintainer of xhprof, created such a package on packagist.org to provide Composer support for the community. Lachlan solved the problem of unresponsiveness of the original maintainer, facebook, to this request. Now, instead of solving a simple packagist registering problem, Evan came up with general and already known security concerns of the Composer and Packagist eco-system.
I’ve pulled out some of the issues raised in this debate:
1. How to verify the identify of a user account on packagist.org?
2. There isn’t any documentation on the transfer policy of packages from one user account to another.
3. How to verify that the owner of a packagist.org package is someone I trust?
4. How to verify, that any changes made to the package are authorized changes?
5. Would it be possible to sign Composer packages to raise the trust level?
And now i have to hand Evan a snickers, because: you’re not you, when you’re hungry.
