<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>k2gl blog</title>
    <link>https://k2gl.com/blog</link>
    <description>Notes on PHP supply-chain security, Sigstore, and the k2gl packages.</description>
    <atom:link href="https://k2gl.com/rss.xml" rel="self" type="application/rss+xml"/>
    <item>
      <title>Verify your Composer dependencies' provenance</title>
      <link>https://k2gl.com/blog/verify-composer-provenance</link>
      <guid>https://k2gl.com/blog/verify-composer-provenance</guid>
      <description>Sign and verify PHP package provenance with Sigstore and GitHub build attestations, end to end.</description>
      <pubDate>Sun, 05 Jul 2026 00:00:00 GMT</pubDate>
    </item>
  </channel>
</rss>
