Starwman. I happen to have discussed the situation and the approach with the main people behind Composer in person, as well as gone over details with contributors on IRC. They did not seem to share your opinion. Since we’re throwing out logical fallacies: argumentum ab auctoritate.
Like I’ve *already explained*…
Here is the problem: we need composer.json and composer.lock to be version controlled so that MediaWiki core can manage its own dependencies rather than using git submodules or hard-copying source trees into the repository, which everybody agrees are not sustainable solutions. However, third parties want to be able to install extensions via Composer, which, while not the purpose of Composer, is technically feasible. These two ideas conflict.
Here is the solution: rather than using Composer as a package management system when, in reality, it is a dependency management system, we use Composer to properly maintain core, and then do one of the following: 1) implement our own extension installation system from scratch, or 2) change and/or extend Composer so that it supports a plugin system. I personally recommend the latter, and there are upstream bug reports open concerning it.
-- Tyler Romeo 0xC86B42DF