Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Since we now allow anyone to create stable projects, we're partially violating the 'minimum-stability' flag of composer, as there are two classes of stable projects - those with security coverage and those without.
I'm planning on writing a composer plugin to warn about stable modules with no security coverage, but in order to do so, we need that metadata in composer.json.
Proposed resolution
Add metadata drawn from the security-coverage opt-in field to the 'extra' attribute of composer.json so that can be interrogated by composer plugins/scripts etc.
Remaining tasks
Reviews
User interface changes
N/A
API changes
?
Data model changes
?
Comment | File | Size | Author |
---|---|---|---|
#4 | include_metadata_about-2863103-4.patch | 1.11 KB | larowlan |
Comments
Comment #2
larowlanGonna have a go at this while in transit this week
Comment #3
larowlanNotes from IRC convo
Comment #4
larowlanComment #5
larowlanComment #6
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedInteresting idea, i could add support for it in the composer_deploy. How does update.module deal with this change?
Comment #7
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedComment #8
larowlanI take it the answer was 'not at all' :)
Comment #9
drummThanks, looks like a good start.
$project_wrapper->field_security_advisory_coverage->value()
is project-wide coverage. Per-release, we also want to check:http://cgit.drupalcode.org/drupalorg/tree/drupalorg/drupalorg.module#n4954 is where this is done for update status XML. (If the line number changes, it is in
drupalorg_project_release_xml_release_alter()
, after// Add security advisory coverage.
.) That could be pulled out into a generally-useful function, and get the strings matching the update status plan.Comment #10
MixologicIm going to go ahead and add what is essentially @larowans patch from #3, except modified to be the release specific values:
I dont think that project composer should know about any business logic about what constitutes covered or not. If that field is not supposed to contain "covered" because the project is either not a full version or it's been marked as unsupported then we need to make sure that whatever code is responsible for 'unsupporting' a module also removes coverage from the field.
Comment #11
drummThe “covered” for SAs value is per-project, it isn’t the only factor per-release. A covered project might have a stable version, but that doesn’t mean any of the pre-release versions are covered. Or a “covered” project might not have any stable version (yet).
Comment #14
MixologicOkay, so we've refactored the covered status so that we can gather that information per release. The composer facade has been rebuilt to include this data, and it is now gathering that data and returning it in the extra field as both a 'status' and a 'message':
There are three statuses: "covered", "not-covered", and "revoked"
The message is an explanatory text field, and its contents may change, so do not write any logic based off of the message contents as they may change.
This data only reflects the security team's policy for a particular release, and in no way indicates the actual security or insecurity of a particular module.
Comment #16
grasmash CreditAttribution: grasmash commentedhttps://www.drupal.org/project/drupal_security_warning now makes use of this.
Comment #17
larowlanThanks @grasmash, works great
Love it when a plan comes together