I love composer for developing but I hate it for production because of security issues. I know Packagist doesn't scan code, you can publish to it and it is instantly available, so it is always possible for malicious code to end up in it.

What I would like - is something where developers can define their repository with GPG SIGNED packages.

composer install will fetch, verify the signature against the key ring, and refuse to install if fails.



It would mean to use libraries from any given repository you have to import the public key from that developer, but... that's the whole point.

Sign in to participate in the conversation

Linux Geeks doing what Linux Geeks do..