Problem/Motivation

Right now after #3358504: Require PHP-TUF's Composer integration plugin users of this module would have to setup TUF settings in their Composer project themselves.

This is will difficult for some users. It may be possible for use to configure this automatically for users.

We can't do this until #3358504 and we can't do that until Drupal.org TUF signing infrastructure is in place but after that it should be possible

Proposed resolution

There are probably 2 ways to do this.

  1. We could do this on hook_install. I think we don't have access to the full API of the newly install module here, but I could be wrong

    We could simply parse the composer.json file and update it manually

  2. hook_modules_installed or otherwise after the module is installed.

    At this point we could use our own API to stage changes and then apply them to the site. We would have to make some exception in PhpTufValidator itself to make sure you could perform this operation even though TUF is not set up yet.
    We could even create a basic TUFSetUpStage extends StageBase that would just set this up in create() and not allow require() or other operations. Then PhpTufValidator would not be enforced on TUFSetUpStage.

    This might also be useful to be able to fix sites if there TUF setup gets removed or if the setup requirements change.

Remaining tasks

User interface changes

API changes

Data model changes

Comments

tedbow created an issue. See original summary.

tedbow’s picture

tedbow
he/him
Primary language English
Location Ithaca, NY, USA
commented
Title: Automatically configure TUF Composer settings » Automatically configure TUF Composer settings after the module is installed

I postponed this because we can't actually have the TUF setting enabled until drupal.org TUF's is working. But if someone wants to work on before they can. We just won't be able to commit at this time.

So it is not as important as other issues

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

because we can't actually have the TUF setting enabled until drupal.org TUF's is working

Can we link to the blocking issue? 🙏

effulgentsia’s picture

effulgentsia commented

I think we should add a 3rd option, which is to not do it automatically on hook_install() but instead have hook_requirements() (or some other validator) check if the composer.json settings are what they need to be, and if they aren't add a (CSRF protected) link that when clicked makes the needed changes to composer.json (or takes you to a form with a submit button that does that). Similar to the "Run cron" link in system_requirements().