Add composer itself? Plus a few phars I know and are not on the list

[pepijnblom]

Shouldn't composer be in the list as well?

There's some other ones off the top of my head:

• phpcs
• phpmd
• phpspec
• php7cc

Actually there's a whole bunch on this "awesome list": https://github.com/algo13/awesome-php-static-analysis

[theseer]

While I perfectly agree that these tools should be supported, we currently cannot add them. Their maintainers need to provide gpg signed releases in a trackable form first. So far, this is not the case for any of the tools you listed. Some do provide phars via github releases others only provide proprietary download links. But without a valid, verifiable gpg signature neither can be securely installed.

Composer is inherently worse as they do not provide any means of sanely downloading and verifying releases. See https://github.com/phar-io/phive/issues/110 for details.

So for now, I don't think we can do much. People using these tools should open tickets with the respective tool maintainers to have them provide gpg signed releases.

Sorry. I'm closing this issue.

[theseer]

For reference:

• PHPCS: https://github.com/squizlabs/PHP_CodeSniffer/issues/1082
• PHP-CS-Fixer: https://github.com/FriendsOfPHP/PHP-CS-Fixer/issues/3158

[jk]

Also for reference: PHPCS managed to upload gpg signed keys.

[theseer]

PHP CondeSniffer is indeed now supported via phive install squizlabs/php_codesniffer. I also just added the alias, so phive install phpcs should work as well - if an updated repository list has already been downloaded.