See π± [policy, no patch] Disallow using Package Manager (and therefore Automatic Updates and Project Browser) when Composer's disable-tls setting is true Needs review and π± [policy, no patch] Make PHP's OpenSSL extension a requirement for installing and using Package Manager (and therefore, Automatic Updates and Project Browser) Fixed for previous discussions.
Package manager, and especially automatic updates, allow for running composer on production which is currently not a common use case (i.e. most sites whether big or small will either run composer locally and push the results to production using git or whatever transport mechanism, or do so via a build pipeline). This opens up the possibility that there are production environments either where the PHP openssl extension is not installed, or where it is installed but the certificate bundle is bad, although composer ships a fallback bundle from mozilla which should mitigate the latter category.
There is a third possible issues which is sites that are running custom packagist with self-signed certificates, but in the previous issues there was consensus that this is not our target audience (if you can run custom packagist, you can use a real certificate these days).
There are two types of hosting we suspect might have this problem, but they are also the two types of hosting that core developers are least likely to use:
1. Institutional hosting provided by an IT department, for example at universities (I very occasionally still see websites served from a home directory 1990s style).
2. Mass shared hosting: dreamhost, hostgator etc.
There might be other kinds, but we can generally assume that platform providers or custom hosts are likely to either adapt to allow automatic updates to run, or might explicitly rule it out as an option anyway, for example if they want to keep a read-only file system.
The purpose of this issue is twofold, one to collect anectodal evidence of this problem from people who run into it, but also to figure out how to do a more formal survey.
For shared hosting, we may be able to ask a sample of hosts if they compile the openssl extension via support or sales tickets.
For institutional hosting, all I can think of is a formal survey which is promoted by d.o and social media channels, but there seems like a high risk of not getting a statistically significant sample size.