Add php-tuf/composer-integration to core dependencies and governance — for experimental Automatic Updates & Project Browser modules

@phenaproxima is working on updating the summary with instructions for how to test this using TUF metadata that is available in testing on drupal.org since the production TUF metadata is not ready yet

Re-titling because I keep thinking this is about the governance issue and security review, which are more or less done at this point, whereas we still need to actually add the dependency to core. Would be good to get an MR up to add it.

📌 Manually test TUF-enabled Composer projects Active is where we’ve been getting some real-world testing

I think the memory usage looks a blocker: https://github.com/php-tuf/composer-integration/issues/127

Otherwise, we haven’t seen production issues in the last few weeks. When we do see them, they are hard to debug: https://github.com/php-tuf/composer-integration/issues/128

packages.drupal.org is TUF-enabled. For core, the drupal/* & php-tuf/* namespaces, there is packagist-signed.drupalcode.org to be added as another Composer repository. I’m guessing we might want a separate issue for adding the repository before packages.drupal.org

Between the three MRs linked from https://github.com/php-tuf/php-tuf/issues/385 the memory issues should be significantly better - I saw it drop from about 320mb to 60mb - and 60mb is consistent with normal composer usage. It would be good to see some more testing, but I also think we could look at adding this as a dev dependency to core in the 11.x branch, which would be one less step for manual testing.

A dev dependency is a good idea.

📌 Manually test TUF-enabled Composer projects Active found another issue after a metadata refresh on Drupal.org

@drumm was pretty sure that the TUF-client should be able to transparently use the new metadata, so I've opened https://github.com/php-tuf/php-tuf/issues/396

Marking this [PP-1] since currently the manual testing steps on that issue result in a fatal error.