Gossamer Composer Integration
At the end of this project, all PHP package releases distributed by Composer / Packagist will be secured by Gossamer.
Integration cannot begin until the developer tools are complete.
|Composer Pull Request||Pending|
Packagist (the server-side backend that Composer talks to) will need to be updated to integrate with Gossamer.
This includes (in no particular order):
- Enhancing the GitHub integration to fetch release files (for signatures)
- Publishing new releases onto the cryptographic ledger
- Allowing developers to manage their own identities and verification keys
Goal: A (relatively) simple Composer plugin that uses the Gossamer Client to ascertain if an update should be installed or not.
Composer Pull Request
Once the previous phases of the Composer integration are complete, we can discuss adding the Gossamer Plugin for Composer to Composer itself.
Note: This development does not need to necessarily be done by Paragon Initiative Enterprises. Interested PHP developers should feel welcome to take point on any of the components that interest them; we'll provide security review and additional support as needed.