Yes, you will send your
composer.json to a place you don't know.
Yes, we do have the power to inject whatever package we want to in your resulting
No, there's nothing you can do against this.
Jobs are stored for exactly 1 hour. Workers are destroyed immediately after they've finished a job including all the data associated with it. The only thing that's left 1 hour later are the metrics.
You will have to trust us on this one. Just like you do trust packagist.org or basically the whole PHP ecosystem.
If you have any ideas on how trust could be established, let us know! Or meet us at some PHP conference :-)
The following metrics (those and only those!) are collected because of the respective reasons:
|Metric||Description / Reason|
|Client Key||Needed so statistics can be associated with a certain client.|
|Job submission datetime||Needed to be able to filter for given date periods.|
|Processing stop datetime||Needed to be able to determine the time needed to work on the job.|
|Job ID||Needed as the unique identifier of a job.|
|Memory Peak Usage||The peak memory usage needed to resolve a job. Might be interesting to know in general and also allows to decide on infrastructure needs.|
|Number of local packages||The number of local packages that were provided along with the job. Might be interesting to know in general and also allows to decide on infrastructure needs.|
|PHP Version||The PHP (minor only) version that was provided along with the platform information. Might be useful to see which platforms are used the most.|
|Processing start datetime||Needed to be able to determine the time needed to work on the job.|
|Status||Needed to determine whether the resolving process was successful or not.|