- @phenaproxima opened merge request.
- 🇺🇸United States phenaproxima Massachusetts
Updated the IS with the proposed resolution.
- Assigned to phenaproxima
- Assigned to tedbow
- Status changed to Needs review
almost 2 years ago 3:38pm 10 February 2023 - 🇺🇸United States tedbow Ithaca, NY, USA
Neither Automatic Updates nor Project Browser should have a hard dependency on PHP-TUF.
Core may require php-tuf when we merge in. @phenaproxima do you foresee and problems with this? I assuming we don't have any dependencies in php-tuf that core would not want to have an indirect dependency on, like we currently have in Au with
composer/composer
- Assigned to phenaproxima
- 🇺🇸United States tedbow Ithaca, NY, USA
Assigning to @phenaproxima for feedback on my idea in MR
- Status changed to Needs work
almost 2 years ago 7:31pm 10 February 2023 - 🇺🇸United States tedbow Ithaca, NY, USA
Also setting to needs work because even if we don't decide to do any of the ideas I proposed I think at the very least we need to be clear in the messages the security implications. Probably also with @todo to follow-up issue that will provide a link to docs
- Assigned to tedbow
- Status changed to Needs review
almost 2 years ago 7:07pm 13 February 2023 - Assigned to phenaproxima
- Status changed to Needs work
almost 2 years ago 8:13pm 13 February 2023 - Status changed to Postponed
almost 2 years ago 2:45pm 15 February 2023 - 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
@tedbow and @tim.plunkett discussed the plan for getting Automatic Updates, Project Browser and Package Manager into core. We're likely going to aim to land Package Manager first. So postponing this issue for now, until the dust settles on that.
- 🇺🇸United States tedbow Ithaca, NY, USA
RE: 🌱 [policy, no patch] How much of The Update Framework integration is needed for alpha-level review/commit of Package Manager? Needs review
We need TUF for package manager to get into core at all.
from this issues summary
(since we don't need to require TUF for attended Package Manager operations).
We should confirm that with a question in #3349368. It may be the case that all package manager operations need TUF or at least AutoUpdates and Project Browser.
- Status changed to Needs work
almost 2 years ago 8:43pm 21 March 2023 - 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
Bumping to critical per #29. But … is this even actionable? Isn't this hard-blocked on #3325040: [Packaging Pipeline] Securely sign packages hosted on Drupal.org using the TUF framework and Rugged → ? 🧐
The current MR needs to be redone anyway, because it's still targeting
8.x-2.x
.P.S.: I think
We need TUF for package manager to get into core at all.
should be
We need TUF for package manager to get into core at all , after all.
😓
- 🇺🇸United States tedbow Ithaca, NY, USA
re #3284443-11: Enable unattended updates → I am removing
unattended update blocker
tag as I propose we don't block this in contrib only. But it is still an alpha target because we would need this in core for alpha - 🇺🇸United States tedbow Ithaca, NY, USA
Re the current action that is needed is to make a new MR against 3.0.x from the current 8.x-2.x MR
- 🇺🇸United States tedbow Ithaca, NY, USA
I think we need "Needs issue summary update" before we do more work on this because of the changes made after this comment
re
I would prefer 2) because it would mean that by default all stages would enforce TUF validation. you would have to override this to opt of validation. Otherwise every stage has to opt-in for actual TUF enforcement and not just a warning.
We need to get confirmation from core committers that it is ok for modules building UIs to opt out TUF protect for their use case.
The reason I think it should be ok is otherwise if we make it too difficult to opt-out then I could see developers trying to do this by just removing our validator service altogether. That would be very bad because it would turn off TUF for all use cases
- Assigned to tedbow
- 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
#35: Did we get that clarity? I don't see it on 📌 Add a validator to check that PHP-TUF's Composer integration is present and configured correctly Fixed ? 🤔
- Assigned to wim leers
- 🇺🇸United States tedbow Ithaca, NY, USA
@Wim Leers on #36 you linked back to this issue. Did you mean to link to 🌱 [policy, no patch] How much of The Update Framework integration is needed for alpha-level review/commit of Package Manager? Needs review ?
- Assigned to tedbow
- Open on Drupal.org →Core: 10.1.x + Environment: PHP 8.1 & MySQL 8last update
over 1 year ago Waiting for branch to pass - Open on Drupal.org →Core: 10.1.x + Environment: PHP 8.1 & MySQL 8last update
over 1 year ago Waiting for branch to pass - Open on Drupal.org →Core: 10.1.x + Environment: PHP 8.1 & MySQL 8last update
over 1 year ago Waiting for branch to pass - Open on Drupal.org →Core: 10.1.x + Environment: PHP 8.1 & MySQL 8last update
over 1 year ago Waiting for branch to pass - Issue was unassigned.
- Open on Drupal.org →Core: 10.1.x + Environment: PHP 8.1 & MySQL 8last update
over 1 year ago Waiting for branch to pass - last update
over 1 year ago 724 pass, 12 fail - last update
over 1 year ago 764 pass - last update
over 1 year ago 764 pass - last update
over 1 year ago Custom Commands Failed - Status changed to Needs review
over 1 year ago 4:06pm 24 April 2023 - last update
over 1 year ago Custom Commands Failed - last update
over 1 year ago 766 pass - Status changed to Needs work
over 1 year ago 2:37pm 26 April 2023 - 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
First round of review! This is looking great already 😊
- last update
over 1 year ago 766 pass - Assigned to tedbow
- last update
over 1 year ago 772 pass - last update
over 1 year ago 762 pass, 2 fail - last update
over 1 year ago 755 pass, 6 fail - last update
over 1 year ago 755 pass, 6 fail - last update
over 1 year ago CI aborted - last update
over 1 year ago 755 pass, 4 fail - last update
over 1 year ago 765 pass, 2 fail - Assigned to phenaproxima
- 🇺🇸United States tedbow Ithaca, NY, USA
re-assigning to @phenaproxima until tests pass
- last update
over 1 year ago 769 pass - last update
over 1 year ago 765 pass, 1 fail - last update
over 1 year ago 765 pass, 1 fail - last update
over 1 year ago Custom Commands Failed - last update
over 1 year ago Custom Commands Failed - Assigned to tedbow
- Status changed to Needs review
over 1 year ago 6:25pm 3 May 2023 - last update
over 1 year ago Custom Commands Failed - last update
over 1 year ago 768 pass, 1 fail - last update
over 1 year ago 784 pass - 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
Reflecting that this is hard-blocked on 🐛 StageBase::stageDirectoryExists() breaks on PreCreate Fixed .
- Assigned to phenaproxima
- Status changed to Needs work
over 1 year ago 10:43am 4 May 2023 - 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
Detailed review posted. Chief concern: this should behave more like
\Drupal\package_manager\Validator\ComposerPatchesValidator
, at least the way it is implemented since 📌 Reliably support cweagans/composer-patches in Package Manager & Automatic Updates: validate stage Fixed . - last update
over 1 year ago 786 pass - last update
over 1 year ago 786 pass - 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
🐛 StageBase::stageDirectoryExists() breaks on PreCreate Fixed landed.
- last update
over 1 year ago 786 pass - last update
over 1 year ago 786 pass - 🇺🇸United States phenaproxima Massachusetts
Changing title to reflect the reality that TUF is basically always required for use of Package Manager.
- last update
over 1 year ago 786 pass - 🇺🇸United States phenaproxima Massachusetts
Making the title a little more specific, since we're not (yet) adding a hard dependency on PHP-TUF.
- last update
over 1 year ago 786 pass - Assigned to tedbow
- Status changed to Needs review
over 1 year ago 2:21pm 5 May 2023 - 🇺🇸United States phenaproxima Massachusetts
Filed 📌 [PP-1] Require PHP-TUF's Composer integration plugin Postponed to actually bring this validator into action.
- 🇺🇸United States tedbow Ithaca, NY, USA
This looks good, but I will have to give it closer look. Didn't find anything I object to though
- Issue was unassigned.
- Status changed to Needs work
over 1 year ago 12:52pm 8 May 2023 - 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
Thanks for opening 📌 [PP-1] Require PHP-TUF's Composer integration plugin Postponed . Agreed with landing as much as possible NOW, before the d.o infrastructure side is complete 👍 I expanded the information in that issue.
I did still find a few things to be concerned about, but it's definitely closer now!
- last update
over 1 year ago 786 pass - last update
over 1 year ago 786 pass - Assigned to wim leers
- Status changed to Needs review
over 1 year ago 6:26pm 8 May 2023 - last update
over 1 year ago 786 pass - Assigned to phenaproxima
- Status changed to Needs work
over 1 year ago 12:56pm 9 May 2023 - 🇧🇪Belgium wim leers Ghent 🇧🇪🇪🇺
Excellent work here, and thanks for bearing with me as I scrutinize every line …
- last update
over 1 year ago 786 pass - Assigned to wim leers
- Status changed to Needs review
over 1 year ago 1:35pm 9 May 2023 - Assigned to tedbow
- Status changed to RTBC
over 1 year ago 2:08pm 9 May 2023 - Assigned to phenaproxima
- Status changed to Needs work
over 1 year ago 3:36pm 9 May 2023 - last update
over 1 year ago 786 pass - Assigned to tedbow
- Status changed to Needs review
over 1 year ago 3:43pm 9 May 2023 - Issue was unassigned.
- Status changed to RTBC
over 1 year ago 3:55pm 9 May 2023 - last update
over 1 year ago 786 pass - last update
over 1 year ago 786 pass -
phenaproxima →
committed 34a00b34 on 3.0.x
Issue #3316617 by phenaproxima, tedbow, Wim Leers: Add a validator to...
-
phenaproxima →
committed 34a00b34 on 3.0.x
- Status changed to Fixed
over 1 year ago 5:42pm 9 May 2023 Automatically closed - issue fixed for 2 weeks with no activity.