WIP: Add docs page for manual testing of TUF-enabled Composer projects

Created on 27 September 2024, about 2 months ago

Problem/Motivation

We'd like to have the community start to test TUF via Composer directly (i.e. not via Automatic Updates). We'd also like to gather some real-world data about how much TUF metadata is being downloaded, and how is scales with the number of Drupal packages installed.

Proposed resolution

We suggest adding a documentation page with the following content:

Thank you for helping to test the new TUF-secured infrastructure on drupal.org. By doing so, you are helping to ensure the stability of these new systems, and providing information that will guide future plans for improvements.

Before you start, you'll need a Drupal project where you can run Composer at the command-line. Ideally, you can test this on an exiting project, because we're looking for feedback on real-world scenarios. If not, see ... for how to get setup.

The first step is to add the PHP-TUF Composer Integration Plugin:
composer require php-tuf/composer-integration:dev-main --dev
Next, find the "repositories" section of your project's `composer.json`, and enable TUF on the Drupal package repo:
[...]
    "repositories": [
        {
            "type": "composer",
            "url": "https://packages.drupal.org/8",
            "tuf": true      <== ADD THIS BIT
        },
    ],
[...]
Then, add the signed repository for Drupal core, and related projects to the same "repositories" section:
[...]
    {
            "type": "composer",
            "url": "https://packagist-signed.drupalcode.org",
            "tuf": true
    }
Finally, download the initial root metadata for these two repos:
mkdir tuf
wget https://packages.drupal.org/8/metadata/1.root.json -O tuf/packages.drupal.org.json
wget https://packagist-signed.drupalcode.org/metadata/1.root.json -O tuf/packagist-signed.drupalcode.org.json
Then run `composer -vvv update`

You should see the following in the output:
```
```

If you see any errors, file a bug report on the "drupal.org infrastructure" project, using the "Packaging" component.

We're trying to gather some performance metrics as well. If you'd like to help with this, please file a "task" issue (again "Packaging"), tagged with "TUF-testing". Please run the following commands and report back the results:

```
composer show | grep drupal/ | wc -l

du -sh .composer/tuf
```

Remaining tasks

📌 Task

Status

Postponed

Component

Packaging

Created by

🇨🇦Canada ergonlogic Montréal, Québec 🇨🇦

Live updates comments and jobs are added and updated live.

TUF-testing

The Update Framework (TUF)

Comments & Activities

Issue created by @ergonlogic
Comment about 2 months ago →
🇨🇦Canada ergonlogic Montréal, Québec 🇨🇦
Comment about 2 months ago →
🇨🇦Canada ergonlogic Montréal, Québec 🇨🇦
The initial idea was to create a docs page with testing instructions, and then ask testers to create issues to document their results. But, upon further reflection, this is overkill. All we need is an issue for the testing itself (see: 📌 Manually test TUF-enabled Composer projects Active ), and ask for feedback in comments.

I've simplified the issue summary accordingly. I'm moving it back to 'active', since we need to promote this testing,

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024