Problem/Motivation
We'd like to have the community start to test TUF via Composer directly (i.e. not via Automatic Updates). We'd also like to gather some real-world data about how much TUF metadata is being downloaded, and how is scales with the number of Drupal packages installed.
Steps to reproduce
First off, thank you for helping to test the new TUF-secured infrastructure on drupal.org. By doing so, you are helping to ensure the stability of these new systems, and providing valuable feedback that will guide future plans for improvements.
Before you start, you'll need a Drupal project where you can run Composer at the command-line. Ideally, you can test this on one or more existing projects, because we're looking for feedback on real-world scenarios. If not, see the
Drupal installation documentation →
for how to get setup.
The first step is to add the PHP-TUF Composer Integration Plugin, and authorize Composer to run it. From the root of your project, run the following:
composer config allow-plugins.php-tuf/composer-integration true
composer require php-tuf/composer-integration:dev-main --dev
Next, you will need to configure Composer to enable TUF protection for the Drupal package repository:
composer tuf:protect https://packages.drupal.org/8
Then, add the signed repository for Drupal core (and related projects) and enable TUF protection for it too:
composer config repositories.drupal-core composer https://packagist-signed.drupalcode.org
composer tuf:protect https://packagist-signed.drupalcode.org
Finally, download the initial root metadata for these two repos:
mkdir tuf
wget https://packages.drupal.org/8/metadata/1.root.json -O tuf/packages.drupal.org.json
wget https://packagist-signed.drupalcode.org/metadata/1.root.json -O tuf/packagist-signed.drupalcode.org.json
Finally, update Composer dependencies:
composer -vv update
You should see the following in the output:
```
[TUF] Packages from https://packages.drupal.org/8 are verified by TUF. This may impact performance.
[TUF] Packages from https://packagist-signed.drupalcode.org are verified by TUF. This may impact performance.
Authenticity of packages from https://asset-packagist.org are not verified by TUF.
Authenticity of packages from https://repo.packagist.org are not verified by TUF.
```
If you see any errors, please immediately
file a bug report →
on the "drupal.org infrastructure" project, using the "Packaging" component.
Remaining tasks
We're trying to gather some performance metrics as well. If you'd like to help with this, please follow the steps below, and report the results.
First, we'd like to know how many Drupal packages (modules, themes, etc.) your project is using:
$ composer show | grep drupal/ | wc -l
15
Second, we'd like to know how much TUF metadata was downloaded to cover those packages.
$ du -sh vendor/composer/tuf
2.9M vendor/composer/tuf
To report the results, add a comment below. This can be as simple as:
Packages: 15
TUF metadata: 2.9M
Thank you again for helping to test the new TUF-secured infrastructure on drupal.org.