Toran Proxy and the future of Composer

TL;DR: New shiny product to support Composer development: Toran Proxy

A bit of history

I have spent quite a large part of the last three years working on both Composer and Packagist. This has been great fun for the most part, I learned tons, met a gazillion people both online and offline, got to travel places to talk about it at conferences. One question I get asked frequently is how I find the time to work on this for free, and my answer until recently was along the lines of: "I run my own business, which affords me quite some flexibility".

The problem is that I can not use this answer anymore. We have changed Nelmio's business model a few months ago to focus more on consulting and contracting. While this does not change the amount of time I can decide to spend on open source, it means that if I keep working the way I did in the past I will have to move under a bridge sooner or later.

Open-Source or a Salary?

I have spent quite some time over the last few months evaluating options to get out of the current situation. Having to choose between working on open source or earning a living is not great, and I feel horrible for ignoring GitHub issues and such. So the one thing I settled on is to work on an product around Composer that helps businesses using it but does not take anything away from the regular users.

Introducing Toran Proxy

Toran Proxy does mainly two things at the moment: it proxies Packagist, GitHub and others to make Composer faster and more reliable, and it allows you to host private packages easily. This was already sort of possible with Satis and many people used various amounts of hackery to get there. Toran makes it easier and faster. It integrates better with Composer since it acts as a real proxy. It can fetch/build packages lazily or can build them ahead of time, enabling you to choose between a lower disk usage or more safety against GitHub outages and such.

It comes with a yearly license fee, which includes updates and will hopefully allow me to work full time on improving Composer & Packagist. There is quite a big backlog of issues to look at and pull requests to review, finalize and merge. Packagist also has tons of potential for improvement. I have a million ideas and I really hope I get the chance to work on them. For example improvements in the discoverability of packages alone would benefit most everyone in the PHP community.

Of course Composer and Packagist remain free to use and fully open source. There is no way that will change. I just hope I can continue to work on them, for the community and supported by the community. Check it out!

June 19, 2014 // News, PHP

Post a comment

Subscribe to this RSS Feed Comments

2014-06-19 18:46:59

Tobias Sjösten

Very cool, Jordi! I really love it when people find way to make sustainable businesses from building free software and I cross my fingers yours will be one.

Are you considering a hosted version of Toran?

2014-06-19 19:54:38


@Tobias: Yes it's something that's on the roadmap at the bottom of the page actually, but it's quite a bit more work than shipping the software to people alone, so it remains a next step.

2014-06-19 20:32:18

Max Schwanekamp

I for one am extremely pleased that there is finally an avenue for companies to chip in toward Composer. Jordi you have almost single-handedly transformed PHP development for the better, and this sounds like a good way to ensure that the world PHP community gets to keep benefiting from the fruits of your labors.

2014-06-19 20:55:46


Cartalyst will support this big time, good move. Love it!

2014-06-20 13:13:26


Congrats and best of luck!

A hosted version would be extremely interesting to give it a try painlessly. Having a GitHub/Packagist proxy (failsafe) and the ability to manage private projects would rock.

Also it mentions "GitHub commit hook integration for immediate updates": that would be awesome too, because when you work with multiple projects, you sometimes have to wait like 5-10 minutes before composer picks up latest versions.

2014-06-20 14:55:47


@mnapoli: Actually the hook is available now for private packages, I forgot to remove it from the roadmap :) It doesn't fix the Packagist delay of up to 10min for public packages though, but that is something I need to fix at the Packagist level anyway.

2014-06-20 15:04:56


Sounds amazing! Beeing able to setup and manage private composer packages easily is something I would definitely pay for. Please rock it. I am sure there is huge market for this.

2014-06-21 14:15:22


Have you considered adding a paid/private package on Packagist? Add something into composer to support http authentication (if it's not there already) and let companies pay a fee to host their packages privately on packagist, similar to how they do it on Github. This makes it easier for companies, as they don't have to worry about hosting anything on their own, and also provides packagist with income to support making it better.

2014-06-23 08:39:17

Adam Culp

Finally got a chance to read this post. Congrats on your choice, I know it was not an easy one to make. Thank you for all you do for the community, and all you will be doing.

2014-06-24 05:33:04

Michael Williams

After setting up Satis for my companies private repos and as a fake proxy I came up with a very similar idea. I'm thrilled to see something like this developed and hope the best for it. I'm sure we will using it internally at my company very shortly.

2016-04-06 14:35:04

Christian S

How to setup authentication in toran proxy? We used the toran ui to add an private repository from bitbucket, but then an error occurs, that auth failed. What can we do?


2016-04-10 12:02:55


@Christian S: Please reach out by email for support because it's kinda hard to keep track here.