@naderman@phpc.social avatar

naderman

@naderman@phpc.social

Co-Founder of Packagist
/ https://packagist.com and Co-Creator of #composerphp - he/him

This profile is from a federated server and may be incomplete. Browse more on the original instance.

ramsey, to php
@ramsey@phpc.social avatar

I was looking at this Sass (SCSS) compiler, written in #PHP, and I noticed something very odd.

Under “requires (dev)," it requires two packages, sass/sass-spec and thoughtbot/bourbon, both of which appear to be empty packages, containing only a composer.json file, which has no dependencies.

What’s the purpose of these packages? They otherwise appear suspicious, to me, but I can’t see that they're doing anything nefarious right now—they just appear pointless.

https://packagist.org/packages/scssphp/scssphp

naderman,
@naderman@phpc.social avatar

@ramsey @seldaek that's a bit of a shortcoming in packagist.org we should probably address. scssphp composer.json actually contains a custom package repository definition which defines thoughtbot/bourbon has something that doesn't exist on packagist.org and because it's only in require-dev which is only loaded from root composer.json, that means that custom definition will always be used, and never the package that's linked to on packagist.org.

naderman, to php
@naderman@phpc.social avatar

Here are the slides for my talk "Composer Guide to Supply Chain Security" at PHP[TEK] in Chicago 2 weeks ago!

Supply chain security is such an important topic! My talk highlighted what you should know about Composer to effectively and securely use it in your dev workflows. It also showed what tools like Private @packagist can do to help.

Thank you to @phparch for putting on another great event and having us as a sponsor!

https://naderman.de/slippy/slides/2024-04-23-PHPTEK-Composer-Guide-To-Supply-Chain-Security.pdf

naderman, to random
@naderman@phpc.social avatar

At @mwop now on stage with fascinating insights on the State of PHP in 2024 from the @zend landscape report

naderman, to random
@naderman@phpc.social avatar

Great talk on breaking up a monolithic application into packages with by @danaluther at - thanks for the @packagist shout outs too!

packagist, to php
@packagist@phpc.social avatar

👋 We're hiring a Senior Software Engineer in Berlin or remote! 💻 Build high-quality supply chain tools for thousands of devs in the PHP ecosystem 🐘 with the makers of Composer.

We're a small experienced remote team, deeply caring about our customers and the quality of our product. 🧑‍🤝‍🧑 Help us maintain and improve key infrastructure for hundreds of businesses! 🎉

https://packagist.com/about/careers/senior-software-engineer-1

naderman,
@naderman@phpc.social avatar

@MarkBaker @Skoop @packagist We already have someone working with us in the UK, and had someone in the Netherlands, I imagine in principle there'd be a way to still make this work via e.g. an EOR company in the respective location, so that shouldn't stop you!

sebastian, to random
@sebastian@phpc.social avatar

Last month, Tidelift sent me an email:

"[...] the reality is that we haven’t had as much traction with enterprise app developers using PHP as we have with other ecosystems [...] we will be reducing the income for PHP packages to a base level of $25/mo per package"

As a result, the monthly amount I receive through Tidelift was reduced from 975 USD / month to 500 USD / month.

naderman,
@naderman@phpc.social avatar

@derickr @sebastian They did agree a while back at least to make "Composer" a dependency on their end of everything that has Composer dependencies, which seemed kind of fair. But also down from ~1800 USD to ~180 USD per month now.

naderman, to random
@naderman@phpc.social avatar

The sad part about today's xz/liblzma discovery is that again critical infrastructure was maintained by overworked volunteers without sufficient assistance or support. We, as professional software engineers, or even we, as society, relying on their volunteer work, failed them.

https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html

naderman, to random
@naderman@phpc.social avatar

Composer 2.7 is out now! New features like minimal changes in partial updates and most importantly a security fix! https://blog.packagist.com/composer-2-7-and-cve-2024-24821/

naderman,
@naderman@phpc.social avatar

@bobmagicii The rest of the explanation can hopefully clear this up. If someone on a machine runs composer as root then it would sometimes unexpectedly execute files as root that a different user wrote, essentially allowing that other user to escalate their privileges.

naderman, to php
@naderman@phpc.social avatar

Thanks once again to AWS Open Source for continuing their support of packagist.org with credits through their open source credits program for 2024: https://aws.amazon.com/blogs/opensource/aws-promotional-credits-open-source-projects/

You can help sponsor Packagist.org & Composer infrastructure, and more importantly all the many hours of work going into maintaining and operating packagist.org through GitHub sponsors github.com/sponsors/composer or Tidelift https://tidelift.com/subscription/pkg/packagist-composer-composer

naderman, to php
@naderman@phpc.social avatar

We just contributed another $18,000 from @packagist to @thephpf for next year. I challenge all of you with companies bigger than our team of 6 to support the foundation with an amount larger than that! Support the foundation here: https://opencollective.com/phpfoundation

naderman, to random
@naderman@phpc.social avatar

Hope you enjoyed my talk on Software Supply Chains with Composer - here are the slides https://naderman.de/slippy/slides/2023-12-07-SymfonyCon-Brussels-Get-a-Grip-On-Your-Projects-Supply-Chain.pdf - Come meet me at the conference and tell me all about how you and your company work with Composer and dependencies in general!

I also got Composer stickers!

naderman,
@naderman@phpc.social avatar

@thomastospace thank you!

naderman, to random
@naderman@phpc.social avatar

TIL: In Berlin, it's normal that your building has a keysafe built into its outside wall, which the fire department and potentially also gas/energy providers can access in emergencies. Also, sufficiently sophisticated thieves can remove these safes and get keys to your building🤦

naderman, to random
@naderman@phpc.social avatar

Do I know anyone or does anyone I know, know anyone working on bahn.de website / booking system? Would like to show a bug via screenshare that leads to paying for reservations you don't actually get, without any warning/error. But I'd rather avoid having to go through first level support ...

naderman, to random
@naderman@phpc.social avatar

Excited this is happening in Berlin today: Wolf Vollprecht kicking off at the EUREF Campus - @packagingcon

naderman, to random
@naderman@phpc.social avatar

How I know I'm back in Berlin? After Brussels Midi announcing every little regional train in 4 languages, no announcements about taking the RE8 instead of cancelled FEX on the platform, and in train from airport to central station the announcement is in German only 🤦‍♂️

naderman, to drupal
@naderman@phpc.social avatar

Slides for my "Composer Behind the Scenes" talk this morning at Lille - my favorite was my attempt at a graph showing the Composer 1 updater mess 😆 Find me for Composer stickers! https://naderman.de/slippy/slides/2023-10-19-DrupalCon-Lille-Composer-Behind-The-Scenes.pdf

naderman, to drupal
@naderman@phpc.social avatar

Attending in Lille? I'd love to meet you and hear about your use of Composer and how you work with dependencies!

  • Come see my talk on "Composer Behind the Scenes" on Thursday at 9:15am in room 3.2 A&B
  • Join me for conversation about the PHP Foundation on Wednesday 16:15 in room 2.2
  • Meet me in the hallway and tell me about your challenges with dependencies, or simply pick up Composer stickers!

ramsey, to random
@ramsey@phpc.social avatar

@naderman @seldaek Curious if this is something you’re aware of. https://packaging-con.org

naderman,
@naderman@phpc.social avatar

@derickr @ramsey @seldaek @a heh yes, aware and attending ;-) unfortunately didn't find time to submit something for the CFP myself

phpugdd, to random

🤯 Crazy what CO2 emission is caused by probably unused package files shipped with every install from @packagist. Carsten Windler at — Numbers are rough estimates

naderman,
@naderman@phpc.social avatar

@phpugdd @packagist Just came across this. This is a gross miscalculation. Installs do not equal downloads. In fact most installs happen from caches, which avoid redownloading files already downloaded.

naderman,
@naderman@phpc.social avatar

@heiglandreas @phpugdd @packagist yes, it is.

naderman,
@naderman@phpc.social avatar

@heiglandreas @phpugdd @packagist Yes, I mean that's what it is supposed to count, installs. And installs are what people do when switching branches 🤷‍♂️

naderman,
@naderman@phpc.social avatar

@heiglandreas @phpugdd @packagist yes

naderman, to random
@naderman@phpc.social avatar

Well that was an emotional roller coaster: From helping work out details of someone's incident via considering if your entire infra is owned, wondering if you'll get sued, go bankrupt & never find a job again, to realizing just 1 user had their credentials taken elsewhere 😰

  • All
  • Subscribed
  • Moderated
  • Favorites
  • provamag3
  • kavyap
  • DreamBathrooms
  • ethstaker
  • magazineikmin
  • InstantRegret
  • ngwrru68w68
  • Youngstown
  • everett
  • slotface
  • rosin
  • khanakhh
  • GTA5RPClips
  • PowerRangers
  • anitta
  • thenastyranch
  • Durango
  • cubers
  • tester
  • vwfavf
  • mdbf
  • cisconetworking
  • tacticalgear
  • modclub
  • normalnudes
  • osvaldo12
  • Leos
  • megavids
  • All magazines
    •