Protection from workarounds and hacks

[PatchRanger]

First appeared in salsify/jsonstreamingparser#63 (comment) .

The issue is that any company big enough to find it worth paying the fee for immediate download would have the expertise to create their own workaround to avoid having a dependency on composer-free2wait.

Threats

I see these opportunities to workaround the forced awaiting (if you see more - please let me know in comments):

• Apply the patch, replacing awaiting with dummy, regularly at each install/update (e.g., by cweagans/composer-patches)
• (from Please stop spamming (almost) every project! #6 (comment)) Usage of --no-plugins command option.
• (from Please stop spamming (almost) every project! #6 (comment)) Adding a replace section in your root composer.json file.

Creating own repo is not an option - as it would miss updates from original repo.

Protection

1. Active (which makes it harder to apply any workaround):

• Distribution as phar (in order to harden patching).
• Check signature SHA-2.

2. Passive (which makes it harder to have any workaround):

• Select appropriate licensing (in order to prevent usage of modified (patched) version). See Add license in order to make it legally usable #1 as relevant.

[mbabker]

Your solution to this is to fork Composer and essentially the entirety of the PHP ecosystem which would elect to participate in this effort to create a closed network sharing some money around. Good luck!