Bug#934104: composer: Don't use debian/copyright for LICENSE when generating autoloader
Add Reply
Kunal Mehta
2019-08-07 02:40:01 UTC
Package: composer
Version: 1.9.0-2
Severity: important

0005-Pick-up-copyright-instead-of-LICENSE.patch switches the composer autoload
generator to use debian/copyright instead of upstream's LICENSE file. This is
problematic for a few reasons:

First, vendor/ directories are no longer identical with people who use an
upstream version of composer or from a different distribution (example:

And secondly, minimal installations (e.g. docker containers) of Debian that
don't keep doc/ around can no longer run composer install.

Is there a reason we need the patch? I could totally be missing something.

-- Kunal

-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.74-1.pvops.qubes.x86_64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages composer depends on:
pn jsonlint <none>
pn php-cli <none>
pn php-common <none>
pn php-composer-ca-bundle <none>
pn php-composer-semver <none>
pn php-composer-spdx-licenses <none>
pn php-composer-xdebug-handler <none>
pn php-json-schema <none>
pn php-psr-log <none>
pn php-symfony-console <none>
pn php-symfony-filesystem <none>
pn php-symfony-finder <none>
pn php-symfony-process <none>

Versions of packages composer recommends:
ii git 1:2.20.1-2
ii unzip 6.0-23

Versions of packages composer suggests:
pn fossil <none>
pn mercurial <none>
pn php-zip <none>
pn subversion <none>
Kunal Mehta
2019-08-12 09:10:01 UTC
Post by Kunal Mehta
First, vendor/ directories are no longer identical with people who use an
Why is that a problem?
It causes divergence on the output of vendor/ simply based on how
composer was installed and decreases reproducibility. In cases where the
output of vendor/ is audited (like we do at Wikimedia), this is much
more noticeable.
I’ve updated the package to provide the upstream LICENSE file from
/usr/share/php/data/Composer, so both issues should be fixed after the
next upload, thanks.
Thank you very much!

-- Kunal