Allow fetching packagist.org/packages.json without provider-includes

[effulgentsia]

For BC with Composer 1, https://packagist.org/packages.json includes the provider-includes field in its response.

Since this field is not used by Composer 2, for clients that know they are using Composer 2, it would be nice to be able to request a representation of https://packagist.org/packages.json without that field. For example, perhaps a syntax like https://packagist.org/packages.json?provider-includes=false or https://packagist.org/packages.json?v2.

A use-case for this is for Drupal we're working on integrating package and metadata signatures based on The Update Framework, and until Packagist implements its own signing system (whether TUF or something else), we're looking into adding a signature for https://packagist.org/packages.json into Drupal's TUF repository. However, the provider-includes section of that file changes frequently, which would complicate that for us. If instead we could sign and use something like a https://packagist.org/packages.json?v2 URL that didn't include provider-includes, then that signature would be less volatile.

Alternatively, we can remove that field on our end after downloading it, but that seems more fragile, so thought I'd open this issue to see if Packagist maintainers think it's a good idea to add a v2-only representation on your end. Whether you're for or against that, thanks in advance for considering it!

[stof]

Adding a query string to change the content would be hard because this is a static file served directly by nginx.

[Seldaek]

Yeah I'd rather not complicate matters there, we have had a single entry point as a static file for over 10years. Removing provider-includes before signing sounds reasonable though..

[effulgentsia]

Thanks for the answer! Makes sense.