Hi, On 8/7/19 3:26 PM, David Prévot wrote: >> First, vendor/ directories are no longer identical with people who use an >> upstream version of composer or from a different distribution (example: >> https://gerrit.wikimedia.org/r/#/c/mediawiki/vendor/+/526262/1/composer/LICENSE). > > Why is that a problem?
It causes divergence on the output of vendor/ simply based on how composer was installed and decreases reproducibility. In cases where the output of vendor/ is audited (like we do at Wikimedia), this is much more noticeable. > ... > I’ve updated the package to provide the upstream LICENSE file from > /usr/share/php/data/Composer, so both issues should be fixed after the > next upload, thanks. Thank you very much! -- Kunal
