Contrib.social

Automatically configure TUF Composer settings after the module is installed

Open on Drupal.org β†’
Created on 18 October 2023, about 1 year ago
Updated 19 October 2023, about 1 year ago

Problem/Motivation

Right now after πŸ“Œ [PP-1] Require PHP-TUF's Composer integration plugin Postponed users of this module would have to setup TUF settings in their Composer project themselves.

This is will difficult for some users. It may be possible for use to configure this automatically for users.

We can't do this until #3358504 and we can't do that until Drupal.org TUF signing infrastructure is in place but after that it should be possible

Proposed resolution

There are probably 2 ways to do this.

  1. We could do this on hook_install. I think we don't have access to the full API of the newly install module here, but I could be wrong

    We could simply parse the composer.json file and update it manually

  2. hook_modules_installed or otherwise after the module is installed.

    At this point we could use our own API to stage changes and then apply them to the site. We would have to make some exception in PhpTufValidator itself to make sure you could perform this operation even though TUF is not set up yet.
    We could even create a basic TUFSetUpStage extends StageBase that would just set this up in create() and not allow require() or other operations. Then PhpTufValidator would not be enforced on TUFSetUpStage.

    This might also be useful to be able to fix sites if there TUF setup gets removed or if the setup requirements change.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ“Œ Task
Status

Postponed

Version

3.0

Component

Package Manager

Created by

πŸ‡ΊπŸ‡ΈUnited States tedbow Ithaca, NY, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @tedbow
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States tedbow Ithaca, NY, USA

    I postponed this because we can't actually have the TUF setting enabled until drupal.org TUF's is working. But if someone wants to work on before they can. We just won't be able to commit at this time.

    So it is not as important as other issues

  • Comment about 1 year ago β†’
    πŸ‡§πŸ‡ͺBelgium wim leers Ghent πŸ‡§πŸ‡ͺπŸ‡ͺπŸ‡Ί

    because we can't actually have the TUF setting enabled until drupal.org TUF's is working

    Can we link to the blocking issue? πŸ™

  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States effulgentsia

    I think we should add a 3rd option, which is to not do it automatically on hook_install() but instead have hook_requirements() (or some other validator) check if the composer.json settings are what they need to be, and if they aren't add a (CSRF protected) link that when clicked makes the needed changes to composer.json (or takes you to a form with a submit button that does that). Similar to the "Run cron" link in system_requirements().

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024