- πΊπΈUnited States drumm NY, US
Reviewing the known issues in Rugged:
- #120 Add a new "monitor" worker is fixed!
- #114 Revert to upstream Composer plugin is still open
- #99 Implement support for hashed bins will be necessary for the scale of Drupal.org packages; so data transfer is limited to a reasonable amount, and that JSON can be reliably parsed
- Currently containers are built locally and pushed, https://rugged.works/how-to/images/. This would be better if it could be driven by GitLab CI automatically. Likely needs an issue opened in the rugged project
- πΊπΈUnited States drumm NY, US
Adding to the issue summary:
Plan for signing core components
- Templates like
drupal/core-recommended
are hosted on Packagist.org, so they can be installed with one step after getting Composer. Core component subtree splits are hosted in the same way to simplify core packaging - https://packagist.org/packages.json changes frequently, so signing on behalf of Packagist.org will need some way to either always have the current version signed, or proxy that's able to serve what we have signed
- Templates like
- π§πͺBelgium wim leers Ghent π§πͺπͺπΊ
Do we have any idea about an ETA?
I'm asking because in π± [policy, no patch] How much of The Update Framework integration is needed for alpha-level review/commit of Package Manager? Needs review it was just revealed that this is hard-blocking
package_manager
,automatic_updates
andproject_browser
. - πΊπΈUnited States drumm NY, US
Adding link to https://gitlab.com/rugged/rugged/-/issues/74
- π¨π¦Canada ergonlogic MontrΓ©al, QuΓ©bec π¨π¦
I've revised the summary with updates for the Rugged tickets.
- π¬π§United Kingdom catch
Looks like hashed bins is also done https://gitlab.com/rugged/rugged/-/issues/99
- Status changed to RTBC
6 months ago 4:23pm 8 July 2024 - πΊπΈUnited States drumm NY, US
This is now ready: https://packages.drupal.org/8/metadata/
Before calling it done, we need:
- #3352216: Securely sign Drupal core packages, even though they are hosted on GitHub/packagist directly β
- securesystemslib includes non-compliant `keyid_hash_algorithms` property when generating key IDs https://gitlab.com/rugged/rugged/-/issues/192
- Reset processing targets batch on boothttps://gitlab.com/rugged/rugged/-/issues/191
- Nice to have, not required - Clean up more completely when targets containing empty directories are processed https://gitlab.com/rugged/rugged/-/issues/149
- Verify root key rotation process
- πΊπΈUnited States drumm NY, US
Added 2 more child issues:
- π Add host key verification for sending targets to rugged for signing Active this is a security hardening. We are not sending anything private to be signed by rugged, but we should still verify where we are sending it
- π± Deprecate composer 1 Active will reduce the error rate for the client, especially if our rugged stack has an outage