Securing PHP package repositories with TUF

Public, centralized package repositories for open source, third-party libraries are critical for the success of any programming language. At the same time, their popularity is also their greatest weakness: a single compromise of a repository is sufficient to poison the well for millions of devices all at once. In 2021, it is safe to say that such a compromise is only a question of when, not if. The Update Framework (TUF) is an open-source standard designed precisely to secure end-users against a repository compromise. In this talk, we will discuss how TUF can be used to secure PHP package repositories, as well as our ongoing collaboration with the PHP-TUF and Drupal teams for doing so.