In parallel with the discussions surrounding how to integrate a composer based workflow into drupal and its modules, there are infrastructure requirements and impacts that should be considered/discussed/resolved in order to support a composer based workflow for the drupal ecosystem.

Some questions that need to be discussed/clarified in using packagist as our dependency metadata resolution repository.

  • What impact will hosting a project the size of drupal have on packagist infrastructure? Can they handle whatever load we're going to send, and is there a cost associated with that?
  • What metrics will we be able to collect from packagist?
  • What does need to do to get first class citizenship like github and bitbucket have for our git repos?
  • How are security issues handled with packagist? Will the security team be able to unpublish insecure modules?
  • Who owns/manages 'vendor' account at packagist?
  • Would this have an impact on updates and the's update system? i.e. what happens when a module checks in a composer.lock file with insecure versions?
  • How are distributions/install profiles affected by something like this?
  • Is packaging/tarballs still needed for d8+ if we go to composer based workflow?

Composer Infra Requirements

Order Issue Assignment Comments
1 #1503234: Process Composer components when building Drupal core who? Composer for tarball
2 #2622462: Make sure packaging plays nice with GitHub api limits who? Api limits
3 #2622474: Testbots need some kind of composer cache who? Composer for testing
4 #2622394: Use composer for dependency resolution when running tests who? Composer for testing
5 #2622494: The updates process should alert about new versions in composer dependencies who? Depedency alerting
6 #2622482: Update download stats processing for Composer who? Stats
7 #2622466: Packaging should create a composer.lock file for distributions who? R&D - can we support distros this way?
8 [#] R&D How to support multi-sites? who? R&D
9 #2352091: Create (and maintain) a subtree split of Drupal core who? Eventually, subtree split core components
10 #2622470: Explore Toran Proxy for release packages who? R&D


Mixologic’s picture

In order to keep packagist up to date, we'll need something that connects our git infra to packagist.

Mixologic’s picture

We may host drupalesque php libraries ourselves.

Mixologic’s picture

Category: Feature request » Plan
Related issues: +#2352091: Create (and maintain) a subtree split of Drupal core

We may want to allow use of "drupal core" - the codebase, independently of drupal, the product (with the front controllers, htaccess, and other structure). To do this we'll need to offer a subtree split of drupal, much like other projects offer.

hestenet’s picture

hestenet’s picture

Title: [Meta] Infrastructure Requirements to support Composer based workflows » Infrastructure Requirements to support Composer based workflows
Issue summary: View changes
drumm’s picture

Issue summary: View changes