Contrib.social

Automatic Updates Initiative meeting on Sep 19, 2023

Open on Drupal.org →
Created on 20 December 2023, 12 months ago
Updated 4 January 2024, 12 months ago

This meeting:
➤ Is for core developers, initiative contributors, the Drupal Association and anyone interested in the initiative.
➤ Usually happens every other Tuesday at 1700 UTC.
➤ Is done over chat.
➤ Happens in threads, which you can follow to be notified of new replies even if you don’t comment in the thread. You may also join the meeting later and participate asynchronously!
➤ Has a public agenda anyone can add to
➤ *Transcript will be exported and posted* to the agenda issue. For anonymous comments, start with a :bust_in_silhouette: emoji. To take a comment or thread off the record, start with a :no_entry_sign: emoji.

Transcript

0️⃣ Who is here today? Comment in the thread below to introduce yourself and tell us why you are joining us.

1️⃣ Do you have any topics to propose for the meeting today? Feel free to propose them in this thread, and then I will give them their own unique threads for discussion. Conversation moving slow? Go ahead and open your own thread in the next numeric order.

2️⃣ Security auditing for PHP-TUF and Rugged is contracted, but the proper start date on the audit work is now mid-OctI will continue pushing to accelerate.This does not block alpha, but may affect beta/experimental deadlines.

3️⃣ Security auditing for AutoUpdates Drupal codeI am still having trouble finding an individual or vendor with availability. Have one lead going, but still waiting to hear.

4️⃣ Deploying Pre-Prod RuggedGoal was to try to do that this week - what does pre-prod rugged mean:It means production like cluster running rugged, step up from our staging setup. It does not mean: fully integrated into packaging pipeline/ready for production use. The AWS outages and some other unplanned work may delay, we will see.

5️⃣ Nils from Packagist/Composer will be at DrupalCon! Coordinating with him to attend our session, and likely present one of his own since Ted's cancellation frees space for another session. (edited) 

6️⃣ Contrib module: @phenaproxima is working on Rely on TUF-protected resources to determine which updates are availableBasically since Update XML will not be TUF target we cannot rely on this to determine which updates are availableComposer Metadata is TUF protected so we should be able rely on that.Will require Drupal core security releases to be reported back from composer auditFor Project Browser to use this eventually that would need to be all Drupal project security releases (edited) 

7️⃣ We, of course, will also need framework manager, committer review, etc! And xjm may be able to do with funding. (edited) 

:8ball: I am working on Fix module so conversion to 11.x core merge request works. We temporarily had a Drush dependencies in the 3.x version of the contrib module we weren’t keeping the core MR up-to-date but now that Add Symfony Console command to allow running cron updates via console and by a separate user, for defense-in-depth is we removed the drush dependencies(was only ever in pre-releases)

9️⃣ Related to ^, @xjm, @catch, @longwave: any thoughts on 🌱 [policy, no patch] Consider whether to keep Package Manager and Automatic Updates in a separate repo/package than core in order to facilitate releasing updates to the updater Needs review ? No need to answer now, just making you aware of the issue.

🔟 Composer Stager is now ready for RC pending code review by Core maintainers.

1️⃣1️⃣ Should automatic updates support update from dev versions of core

Participants:

xjm, effulgentsia, drumm, tedbow, hestenet, Warped, longwave, catch, TravisCarden

📌 Task
Status

Fixed

Version

2.0

Component

Meetings

Created by

🇺🇸United States hestenet Portland, OR 🇺🇸

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024