Here are the slides for my talk "Composer Guide to Supply Chain Security" at PHP[TEK] in Chicago 2 weeks ago!
Supply chain security is such an important topic! My talk highlighted what you should know about Composer to effectively and securely use it in your dev workflows. It also showed what tools like Private @packagist can do to help.
Thank you to @phparch for putting on another great event and having us as a sponsor!
👋 We're hiring a Senior Software Engineer in Berlin or remote! 💻 Build high-quality supply chain tools for thousands of devs in the PHP ecosystem 🐘 with the makers of Composer.
We're a small experienced remote team, deeply caring about our customers and the quality of our product. 🧑🤝🧑 Help us maintain and improve key infrastructure for hundreds of businesses! 🎉
@MarkBaker@Skoop@packagist We already have someone working with us in the UK, and had someone in the Netherlands, I imagine in principle there'd be a way to still make this work via e.g. an EOR company in the respective location, so that shouldn't stop you!
@bobmagicii The rest of the explanation can hopefully clear this up. If someone on a machine runs composer as root then it would sometimes unexpectedly execute files as root that a different user wrote, essentially allowing that other user to escalate their privileges.