We are not satisfied with the security model of Composer. We believe a package manager has a substantial burden to protect and inform users, and that Composer currently fails to uphold that burden.

When you type composer require package/name , you implicitly trust both packagist.org and the package owner on packagist.org , who is unverifiable and not vetted. This default chain of trust is not made obvious to many users, and the package upstream may be essentially uninvolved. The circumstances in which packagist.org makes package changes are not documented, the changes are not signed, and these changes are not auditable. Package owners on packagist.org are not verifiable, changes they make are not signed, and their changes are not auditable. There is no chain of trust between the package upstream and packagist.org . None of this is very clear to the average user.

You can find more details on a specific case of this at: https://github.com/phacility/xhprof/pull/40

We may support Composer in the future, but this upstream's attitudes toward security are currently very different from Composer's attitudes toward security.

We understand that a lot of users don't care about this, and Composer works well and is easy to use, but this is important to us.