You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A use-case for this is for Drupal we're working on integrating package and metadata signatures based on The Update Framework, and until Packagist implements its own signing system (whether TUF or something else), we're looking into adding a signature for https://packagist.org/packages.json into Drupal's TUF repository. However, the provider-includes section of that file changes frequently, which would complicate that for us. If instead we could sign and use something like a https://packagist.org/packages.json?v2 URL that didn't include provider-includes, then that signature would be less volatile.
Alternatively, we can remove that field on our end after downloading it, but that seems more fragile, so thought I'd open this issue to see if Packagist maintainers think it's a good idea to add a v2-only representation on your end. Whether you're for or against that, thanks in advance for considering it!
The text was updated successfully, but these errors were encountered:
Yeah I'd rather not complicate matters there, we have had a single entry point as a static file for over 10years. Removing provider-includes before signing sounds reasonable though..
For BC with Composer 1, https://packagist.org/packages.json includes the
provider-includes
field in its response.Since this field is not used by Composer 2, for clients that know they are using Composer 2, it would be nice to be able to request a representation of https://packagist.org/packages.json without that field. For example, perhaps a syntax like https://packagist.org/packages.json?provider-includes=false or https://packagist.org/packages.json?v2.
A use-case for this is for Drupal we're working on integrating package and metadata signatures based on The Update Framework, and until Packagist implements its own signing system (whether TUF or something else), we're looking into adding a signature for https://packagist.org/packages.json into Drupal's TUF repository. However, the provider-includes section of that file changes frequently, which would complicate that for us. If instead we could sign and use something like a https://packagist.org/packages.json?v2 URL that didn't include
provider-includes
, then that signature would be less volatile.Alternatively, we can remove that field on our end after downloading it, but that seems more fragile, so thought I'd open this issue to see if Packagist maintainers think it's a good idea to add a v2-only representation on your end. Whether you're for or against that, thanks in advance for considering it!
The text was updated successfully, but these errors were encountered: