- Issue created by @hestenet
- ๐บ๐ธUnited States drumm NY, US
Adding notes on a non-ideal solution we considered
- ๐บ๐ธUnited States phenaproxima Massachusetts
I read over this and I think, from the perspective of the Composer plugin that adds TUF support to Composer, this should be okay. As long as the new Composer repository is a standard Composer repository, it should be transparent to the plugin.
- ๐ง๐ชBelgium wim leers Ghent ๐ง๐ช๐ช๐บ
If Packagist.org starts providing signing, we can empty out our new repository, letting Packagist.org take back over.
Are they planning to do this at some point? If so, can you provide a link? If not, I assume you're just extrapolating into a far future?
- ๐บ๐ธUnited States drumm NY, US
Hopefully they can implement Rugged as well. There is no specific plan, so it may as well be far future.
- Status changed to Needs review
9 months ago 5:23pm 2 April 2024 - ๐บ๐ธUnited States drumm NY, US
https://gitlab.com/drupal-infrastructure/package-signing/packagist-signed is getting close to a deployable state, so we can test everything together, see what else might be missing or broken, and add all the packages we need.
- ๐บ๐ธUnited States drumm NY, US
{ "type": "composer", "url": "https://signed-packagist.staging.devdrupal.org" }
Can now be added to repositories in composer.lock to override a couple core components for testing. This comes with TUF at https://signed-packagist.staging.devdrupal.org/metadata/
- ๐บ๐ธUnited States drumm NY, US
We have the start of this in production at https://packagist-signed.drupalcode.org/packages.json & https://packagist-signed.drupalcode.org/metadata/
The remaining work is to get all of the
drupal/
namespace on Packagist.org mirrored. This is ready with https://gitlab.com/drupal-infrastructure/package-signing/packagist-signe..., and needs debugging for why it hasnโt succeeded in production. - Status changed to Fixed
5 months ago 3:38pm 19 July 2024 - ๐บ๐ธUnited States drumm NY, US
Backfilling completed and this has been running smoothly for over a week.
Automatically closed - issue fixed for 2 weeks with no activity.