box PHAR RFC

This is a meta document to keep track of what could be submitted to PHP core.

Deprecate the OpenSSL signature.

As explained here, the PHAR signature provides no guarantee whatsoever and the OpenSSL signature is especially bad as it it:

requires to handle a private key + prompt on Box (or any other bundler) side
requires to always have the .asc file to have the PHAR working, making it a lot less convenient to use.

Allow to set the timestamp of the PHAR

Make https://github.com/Seldaek/phar-utils obsolete.

Deprecate the Metadata

See #1152.

Provide a new method to retrieve the manifest

Since we have industry standards as SBOM or libraries like Manifest, it could make sense to have a Phar::getManifest() method.

Nov 05 '23 23:11 theofidry

idea: throw a proper exception when couldn't compress due to file descriptor limit

Dec 10 '23 22:12 theofidry

To format:

# Document to write ideas of what should be in PHP src

## Extension name

From PackageInfo / Extension

// Some extensions name differs in how they are registered in composer.json
// and the name used when doing a `extension_loaded()` check.
// See https://github.com/box-project/box/issues/653.
private const EXTENSION_NAME_MAP = [
    'zend-opcache' => 'zend opcache',
];


## More compression algorithms


## Deprecate Metadata


## Get Manifest

## Default hash algorithm

## Deprecate OpenSSL signing

## (unrelated) Propose ::create(...) or ::__construct(...) or Foo(...) (i.e. the classname)

## PharUtils::setTimestamp()

Dec 13 '23 12:12 theofidry

box box copied to clipboard

PHAR RFC

Deprecate the OpenSSL signature.

Allow to set the timestamp of the PHAR

Deprecate the Metadata

Provide a new method to retrieve the manifest

box
box copied to clipboard