Deprecate composer 1

Since modern Drupal core requires Composer 2, our Composer 1 traffic is very low - less than 0.5% for all traffic, 1.3% when counting by IP address. We should remove Composer 1 support before thinking about moving this code from Drupal 7 to modern Drupal.

Adding #3325040: [Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged → as a parent issue. Composer 1 support causes https://packages.drupal.org/8/packages.json to be updated frequently. TUF will flag any time that packages.json is updated, but the hash of the file has not been updated. Once Composer 1 is no longer supported, https://packages.drupal.org/8/packages.json will effectively become a static file, greatly reducing the impact of any rugged/signing disruptions.

And we need to get this done before updating this codebase to modern Drupal.

This will happen in 2 phases:

• Stop updating Composer 1 metadata - Composer 1 will still be functional with packages.drupal.org, but will not have any new releases or other updates. I’d like to do this in about a month, the week of August 5 or 12
• Remove Composer 1 metadata - Composer 1 will no longer be able to use packages.drupal.org. I’d like to do this a month or two later, the week of October 1 would put it after DrupalCon Barcelona

Both can be announced directly to users like https://packagist.org/packages.json has

"warning":"Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/","warning-versions":"<1.99"

And we should have various other announcements, including a couple blog posts.

Wouldn't it be better to set the version constraint to <2.0 . Theoretically you can have V1.100 (even though the highest composer 1 version is 1.10.27).

Should the message include the steps required to upgrade? Or a link to those steps?

This will be displayed alongside Packagist.org’s warning:

Warning from https://repo.packagist.org: Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/

https://packagist.org/packages.json uses "warning-versions":"<1.99" I’m not sure if they have a reason for that, but I’d rather follow their lead, even if it might not be technically correct.

We should definitely link to our announcement about packages.drupal.org’s support, once its drafted & posted.

This will be displayed alongside Packagist.org’s warning:

Great! So that's covered then ;-)

https://packagist.org/packages.json uses "warning-versions":"<1.99" I’m not sure if they have a reason for that, but I’d rather follow their lead, even if it might not be technically correct.

Yes, makes perfect sense in that case 😉 and +1 for linking to the official Drupal announcement

The warning is now deployed and the announcement is at https://www.drupal.org/drupalorg/blog/ending-packagesdrupalorg-support-f... →

I've put some notes for the changes needed in child issues.