Contrib.social

Automatic Updates Initiative meeting on Apr 4, 2023

Open on Drupal.org →
Created on 21 March 2023, almost 2 years ago
Updated 26 May 2023, over 1 year ago

Transcript

This meeting:➤ Is for core developers, initiative contributors, the Drupal Association and anyone interested in the initiative.➤ Usually happens every other Tuesday at 1700 UTC.➤ Is done over chat.➤ Happens in threads, which you can follow to be notified of new replies even if you don’t comment in the thread. You may also join the meeting later and participate asynchronously!➤ Has a public agenda anyone can add to➤ *Transcript will be exported and posted* to the agenda issue. For anonymous comments, start with a 👤 emoji. To take a comment or thread off the record, start with a 🚫 emoji.0️⃣ Who is here today? Comment in the thread below to introduce yourself and tell us why you are joining us.

1️⃣ Do you have any topics to propose for the meeting today? Feel free to propose them in this thread, and then I will give them their own unique threads for discussion. Conversation moving slow? Go ahead and open your own thread in the next numeric order.

2️⃣  Rugged signing topics

2️⃣ 1️⃣  Hashed bin support:(So that we aren't using too much memory)https://gitlab.com/rugged/rugged/-/issues/99#note_1092688071EDIT: targeting Apr 14 (edited) 

2️⃣ 2️⃣ The current prototype signing endpoint

2️⃣ 3️⃣  Refining/updating containers for production readiness/ease of sharing out to folks like the Composer team

2️⃣ 4️⃣  Securing a partner for security audit.I am going to use internal budget in lieu of being able to secure a fundraising partner - I just need a firm to contract with at this point.I have been working with the TUF folks to identify support. (edited) 

2️⃣ 5️⃣ Plan for signing core packages which are subtree split to github and come directly from packagist. (edited) 

3️⃣ The state of coordination between Project Browser and Auto Updates - particularly with respect to the Package Manager

4️⃣ Getting fully up to date with the current version of the TUF spec in the php-tuf client

5️⃣ Just quick update on the road to corePer [policy, no patch] How much of The Update Framework integration is needed for alpha-level review/commit of Package Manager? TUF will be needed before we have Alpha level commit for Package Manager in core. Won’t re-hash the discussion here but there is a lot info in that issue regarding why that is the caseI raised this issue regarding requiring HTTPS even in core once we have TUF [policy, no patch] Should Package Manager require Composer HTTPS? (just noticed I need to comment on that issue with latest info I posted in the contrib issue #3351247: Harden our https requirement

6️⃣ Unrelated constraints on DA time from the past two weeks:We are troubleshooting an issue with API errors from the Tugboat api for the existing tugboat integration with MRsWe are troubleshooting queuing issues with our salesforce integration for memberships, also causing queue full pagesWe are managing the consequences of 2 bugs introduced by the last GitLab update: https://gitlab.com/gitlab-org/gitlab/-/issues/404496https://gitlab.com/g...

7️⃣ How would we feel about php-tuf and rugged moving under the tuf/ github namespace if it meant that CNCF would provide ongoing support for things like additional security auditing?

8️⃣ I have started a dedicated issue to document what specific components are in scope for the security audit/review. 🌱 Security review of secure signing components for package manager Active

📌 Task
Status

Fixed

Version

2.0

Component

Meetings

Created by

🇺🇸United States hestenet Portland, OR 🇺🇸

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024