Reviewing some content in this ante-penultimate (!!!) chapter of _Business Success with #OpenSource _ and suspect I may have been in an "I'm sick of this crap" mood when I wrote this.
I'll be in Seattle next week (Apr 15-18). Have questions about how your company uses/releases #OpenSource, about it's #SoftwareSupplyChain management, or about its overall #Strategy/positioning?
Given the news of the xz backdoor, may I recommend this seminal paper from Ken Thompson's 1984 Turing Award lecture showing how a compiler with no backdoors in the source code can nevertheless propagate a backdoor.
PHPUnit 8.5.35, PHPUnit 9.6.14, and PHPUnit 10.5.0 are the first versions of PHPUnit where composer.lock is under version control and part of the (signed, of course) release tag.
The PHAR binary of PHPUnit now has a --composer-lock CLI option that prints the composer.lock that was used to build the PHAR.
Making the build of PHPUnit's PHAR reproducible is another step towards a more secure #PHP#SoftwareSupplyChain.