-
Notifications
You must be signed in to change notification settings - Fork 6
What this plugin does
Adam edited this page Jan 9, 2023
·
2 revisions
This plugin works only on Composer repositories. It needs to be explicitly enabled per repository.
For each enabled repository, the goal of the plugin is to run every relevant file download – that means both metadata like packages.json, and payloads like packages' ZIP files – through PHP-TUF, verifying that each downloaded file corresponds to a known, verifiable TUF target.
This security does NOT cover packages installed from source. Although I haven't tested this, I believe that running Composer with --prefer-source would effectively, silently, shut off TUF integration. We should probably do something about that at some point.