Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
In #3316617: Add a validator to check that PHP-TUF's Composer integration is present and configured correctly we are adding a validator that ensures PHP-TUF support is present in the site's Composer configuration. However, the validator is not actually tagged as an event subscriber, so it's dormant code.
Several things have to happen for TUF to be activated on a Drupal site (most need child issues):
- The PHP-TUF Composer plugin needs to be present and installed as a dependency. (This likely necessitates tagging stable releases of both the plugin and the underlying PHP-TUF library.)
- The plugin also has to be listed in Composer's
allow-pluginsconfig. That's being done for new sites by #3522991: The project templates should allow the PHP-TUF plugin, but existing sites will need to either run a Composer command, or we'll need to write an update or install hook that modifies the project-level composer.json. - The packages.drupal.org repository has to be explicitly opted into TUF. That's also done in composer.json and will either need to be set for new sites right off the bat, or we'll need an update/install hook to do it.
- Some recent root metadata for drupal.org's TUF repository has to be in
PROJECT_ROOT/tuf/packages.drupal.org.json. We'll need to ship this for new and existing projects -- a scaffold file is probably the correct approach. This is most likely best done when we're nearing a stable release of Package Manager in core. - Core needs to mark the PHP-TUF validator in Package Manager as active (i.e., tag it as an event subscriber).
Proposed resolution
Tag the validator as an event subscriber, and add a hard dependency on php-tuf/composer-integration to Package Manager.
Remaining tasks
Postponed on:
- https://github.com/php-tuf/php-tuf/issues/385 which should be resolved by https://github.com/php-tuf/php-tuf/pull/387 and https://github.com/php-tuf/php-tuf/pull/386
- #3370270: [PP-1] Add php-tuf/composer-integration to core dependencies
- #3316617: Add a validator to check that PHP-TUF's Composer integration is present and configured correctly
- drupal.org deploying TUF support to packages.drupal.org in #3325040: [Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged
Issue fork automatic_updates-3358504
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
wim leersGiven Drupal core release managers have indicated this is a hard requirement … updating issue metadata accordingly.
This is AFAICT hard-blocked on #3325040: [Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged too. Once #3316617: Add a validator to check that PHP-TUF's Composer integration is present and configured correctly lands, this will be down to
PP-1.Comment #3
wim leers#3316617: Add a validator to check that PHP-TUF's Composer integration is present and configured correctly is in.
@phenaproxima Can we already get a patch/MR in place? 🤓
Comment #4
phenaproximaNot until PHP-TUF (both the library and the plugin) are published on Packagist.
Comment #5
wim leersRight, but I mean an outline of a MR that shows which code would need to change. While it's still fresh in your head.
I would not expect this MR to pass obviously!
Comment #7
wim leersSplendid! 🤩
Thanks 😊
Comment #8
wim leersComment #9
catchhttps://packagist.org/packages/php-tuf/ should mean this is unblocked?
Comment #10
catchMoving to core.
Comment #11
catchComment #12
catchI think this still might only be partially implemented in package_manager - we need to figure out exactly what's left to do here.
Comment #13
quietone commentedComment #14
larowlanComment #15
cmlaraSetting as postponed on upstream https://github.com/php-tuf/composer-integration/issues/127
As discovered in #3477553: [PP-1] Manually test TUF-enabled Composer projects in even basic lab deployments the plug-in causes an excessive increase in memory consumption.
Comment #16
catchThat should be resolved by https://github.com/php-tuf/php-tuf/pull/386 and https://github.com/php-tuf/php-tuf/pull/387 - manual testing of those MRs (or in general if there's a new release incorporating them) would be very welcome. Updating the issue summary to link to them.
Comment #17
phenaproximaSpun off #3522991: The project templates should allow the PHP-TUF plugin as a Package Manager beta blocker to save us some pain later.
Comment #18
phenaproximaComment #19
catchhttps://github.com/php-tuf/php-tuf/pull/395 landed.
#3477553: [PP-1] Manually test TUF-enabled Composer projects is still open, but if the dependency is in core, that is one less testing step.
Comment #20
larowlanComment #21
quietone commentedThis is postponed on 3 php-tuf issues and 1 core issue, so changing status. Update the issue to put the postponed items into the remaining tasks per the guidelines.
Comment #22
naheemsays commentedIs this still postponed on anything?