Talk about performance in README (php-tuf#122)

README.md

@@ -50,3 +50,17 @@ composer tuf:protect https://packages.drupal.org/8
 # Install a package with safety guaranteed by TUF!
 composer require drupal/token
 ```
+
+## Performance
+There's no way around it: this plugin affects Composer's performance. This is because, for every file Composer examines
+(including package metadata), TUF needs to download other files, to confirm that the file Composer is looking at hasn't
+been tampered with.
+
+The performance hit generally isn't extreme, but it may be quite noticeable, depending on how large your project is and
+what you're asking Composer to do. Performance can also be affected by the way TUF has been set up on the server, which
+may be different for each repository.
+
+To mitigate this, the plugin will try to keep network activity to a minimum; whatever network activity it has to do, it
+tries to do in parallel. This is in addition to fairly aggressive caching, while maintaining the ability for TUF to
+keep itself up-to-date. That said, **you should generally expect Composer to be approximately 1.5 to 3 times slower when
+TUF is enabled.**

src/TufValidatedComposerRepository.php

@@ -71,7 +71,7 @@ public function __construct(array $repoConfig, IOInterface $io, Config $config,
             $loader = new SizeCheckingLoader($loader);
             $this->updater = new ComposerCompatibleUpdater($loader, $storage);
 
-            $io->debug("[TUF] Packages from $url are verified by TUF.");
+            $io->info("[TUF] Packages from $url are verified by TUF. This may impact performance.");
             $io->debug("[TUF] Metadata source: $metadataUrl");
         } else {
             // @todo Usability assessment. Should we output this for other repo types, or not at all?