php-composer required, but I don't trust it
 

OK so I want to use php-opencloud and was quite chargined to find this in the install instructions:
Now I'm sure a lot of people are very excited by composer. I am not so excited.

Can anyone suggest a way that I might run these commands in a chroot jail or something so that I can truly understand what files are downloaded, what sites are accessed, what local files are changed, etc.?

Rants in favor of or against composer are also welcome.

Well, php is a src code language, so you could just download it ("installer") but not run it through php. Instead read the downloaded file ?

I started to. It's over 4000 lines. I thought it would be more efficient to try and run it in some kind of jail and see what files it actually downloads (or alters) rather than trying to speculate theoretically about its results.

could you not try installing from git ?

I didn't like the idea of composer either, but have come to like it well enough.

Install it to a VM, and toast it if you don't like what you see :)

As I originally posted, the installation instructions for php-opencloud on github say one MUST user composer:
To install without composer is probably not especially difficult, but the composer.json file says there are a number of dependencies. I'm not sure if I can get away with just require or whether I need require-dev. I'm also not sure what the simple path names mean in there. For instance, what does guzzle/guzzle refer to? Are these github partial paths? Can anyone help me decipher this composer.json file?
It's easy to understand the allure. Getting dependencies in place is a chore. This makes it easier. HOWEVER, it seems abundantly clear that devs are all too willing to trust other convenient packages without making any attempt to check that those other packages are in fact trustworthy. For something like access to my rackspace cloud account, that is unacceptable. PHP-opencloud has my account credentials. Security is important.

This is more or less what I was getting at, but I still need the right commands to monitor exactly which files are changed. How do I know, for instance, that /etc/passwd hasn't been accessed or changed?

For specific files you are worried about you can take copies & either eyeball or run diff to check.
If you want to know about every file it changes, you'll have to read the code and/or ask the suppliers - do they have a community / support forum?
Maybe its in the FAQ?

Actually, something like tripwire (if its still around) or an equiv, although even then I'm not sure whether its practical to monitor EVERY file on your system.

Have you tried googling around about this tool generally to see if anyone has ever complained?

Strictly speaking, this is not true. I vaguely recall a command that would let one monitor all file accesses/changes in a particular subdirectory but I can't seem to find it. I was hoping to use something like that in combination with a chroot jail or something to prevent composer from modifying or accessing any sensitive files.

I don't think I need to continually monitor the system -- just long enough to run the composer install would be enough I think.

https://scott.arciszewski.me/blog/20...e-composer-php

For a dir, try inotifywait or inotifywatch ?

aha! That's it. I was able to find this old thread with more detail.

Now is there any way to jail composer while it runs? I.e., constrain its file access to some subdirectory?