opensource

Strengthening PHP Supply Chain Security with a Transparency Log for Packagist.org

Igor Benko, Steven Rombauts

2 min read
Strengthening PHP Supply Chain Security with a Transparency Log for Packagist.org

The release of Composer 2.9 this week introduced new security features on the Composer CLI client, which were funded by Private Packagist through service subscriptions. But in parallel, we are working on security on the main PHP package repository at Packagist.org with additional funding from the Sovereign Tech Agency, a German government initiative strengthening critical open-source infrastructure, as part of a set of projects organized by the PHP Foundation, a non-profit supporting PHP’s language development.

We are developing a transparency log system for Packagist.org that will make security-relevant events publicly visible. With over 400 thousand packages and 100 million daily installs, we consider providing auditability and transparency for the PHP supply chain essential.

Improving Supply Chain Transparency

The Transparency Log will make security-relevant events publicly accessible through both a web interface and an API. This will provide the PHP community with a detailed history of package lifecycle events, tracking activity such as ownership changes, source URL modifications, maintainer additions and removals, release or removal of versions, modification of git tags of underlying package versions, and other critical account security events like two-factor authentication status changes and password resets.

This public transparency enables security researchers to monitor packages for suspicious activity patterns and help organizations track changes in their dependencies. It will also support post-incident investigation when supply chain attacks are discovered and allow third-party tools to provide automated monitoring and alerting services.

The initial implementation is underway, with the remaining events and public interfaces being developed incrementally. By improving visibility through transparency logs, we're addressing a critical aspect of supply chain security: detecting suspicious changes when they occur. This development is in line with the transparency log requirement for General Capabilities Level 3 of the Principles for Package Repository Security published by the OpenSSF’s Securing Software Repositories Working Group in which we participate with other package ecosystems..

Looking Ahead: Organizational Package Ownership

Our next major initiative planned for next year, also funded through the PHP Foundation and the Sovereign Tech Agency, will tackle organizational package ownership. This project will address a long-standing security challenge where teams resort to shared accounts and passwords, undermining security and preventing effective use of two-factor authentication.

This feature will allow companies, but also open-source projects, to create organizations, manage memberships and permissions, and maintain package continuity even as team members change, enabling further future functionality on Packagist.org.