In #3316617: Add a validator to check that PHP-TUF's Composer integration is present and configured correctly we are adding a validator that ensures PHP-TUF support is present in the site's Composer configuration. However, the validator is not actually tagged as an event subscriber, so it's dormant code.
Several things have to happen for TUF to be activated on a Drupal site (most need child issues):
allow-plugins config. That's being done for new sites by #3522991: The project templates should allow the PHP-TUF plugin, but existing sites will need to either run a Composer command, or we'll need to write an update or install hook that modifies the project-level composer.json.PROJECT_ROOT/tuf/packages.drupal.org.json. We'll need to ship this for new and existing projects -- a scaffold file is probably the correct approach. This is most likely best done when we're nearing a stable release of Package Manager in core.Tag the validator as an event subscriber, and add a hard dependency on php-tuf/composer-integration to Package Manager.
Show commandsStart within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
wim leersGiven Drupal core release managers have indicated this is a hard requirement … updating issue metadata accordingly.
This is AFAICT hard-blocked on #3325040: [Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged too. Once #3316617: Add a validator to check that PHP-TUF's Composer integration is present and configured correctly lands, this will be down to
PP-1.Comment #3
wim leers#3316617: Add a validator to check that PHP-TUF's Composer integration is present and configured correctly is in.
@phenaproxima Can we already get a patch/MR in place? 🤓
Comment #4
phenaproximaNot until PHP-TUF (both the library and the plugin) are published on Packagist.
Comment #5
wim leersRight, but I mean an outline of a MR that shows which code would need to change. While it's still fresh in your head.
I would not expect this MR to pass obviously!
Comment #7
wim leersSplendid! 🤩
Thanks 😊
Comment #8
wim leersComment #9
catchhttps://packagist.org/packages/php-tuf/ should mean this is unblocked?
Comment #10
catchMoving to core.
Comment #11
catchComment #12
catchI think this still might only be partially implemented in package_manager - we need to figure out exactly what's left to do here.
Comment #13
quietone commentedComment #14
larowlanComment #15
cmlaraSetting as postponed on upstream https://github.com/php-tuf/composer-integration/issues/127
As discovered in #3477553: [PP-1] Manually test TUF-enabled Composer projects in even basic lab deployments the plug-in causes an excessive increase in memory consumption.
Comment #16
catchThat should be resolved by https://github.com/php-tuf/php-tuf/pull/386 and https://github.com/php-tuf/php-tuf/pull/387 - manual testing of those MRs (or in general if there's a new release incorporating them) would be very welcome. Updating the issue summary to link to them.
Comment #17
phenaproximaSpun off #3522991: The project templates should allow the PHP-TUF plugin as a Package Manager beta blocker to save us some pain later.
Comment #18
phenaproximaComment #19
catchhttps://github.com/php-tuf/php-tuf/pull/395 landed.
#3477553: [PP-1] Manually test TUF-enabled Composer projects is still open, but if the dependency is in core, that is one less testing step.
Comment #20
larowlanComment #21
quietone commentedThis is postponed on 3 php-tuf issues and 1 core issue, so changing status. Update the issue to put the postponed items into the remaining tasks per the guidelines.
Comment #22
naheemsays commentedIs this still postponed on anything?