Problem/Motivation
The Automatic Updates Initiative and the Project Browser Initiative both are creating modules that will add user interfaces for running Composer commands to add and update projects.
While this does not introduce completely new supply side attack vectors it does mean this can be triggered via the UI and in the Automatic Updates case it will introduce an unattended process that updates Drupal core(and maybe eventually other projects).
There 3 modules that will be added to core which will go through the experimental module process
- Package Manager: the API only module that makes the composer commands. It is currently a sub-module of Automatic Updates in contrib but would be its own module in core.
In addition to eventual adding of "The Update Framework" integration, this module also provides additional security hardening over using Composer directly:
- Requires https to be used for Composer
- Requires https to be used for fetching Drupal.org update XML
- Ensures that all drupal.org projects are on secure versions according to drupal.org update XML
Both the other 2 modules require this module and get this extra security hardening
- Automatic Updates: the MVP for core only updates Drupal core. It provides both a form and a cron process that updates core. It allows 3rd party vendor packages to be updated or added if required for core update. It does not allow other Drupal projects to be updated during a core update.
- Project Browser: It installs new modules and themes via Composer. 3rd party vendor packages are allowed to be updated and other dependencies It does not allow core to be updated while a new project is being installed
Proposed resolution
It has been decided to that Drupal will implement The Update Framework(TUF) to enhance security against supply side attacks.
We need to determine, or just have written down if already decided by Drupal core Release and Product managers, at what stages of the core experimental process integration with The Update Framework is required.
Technically it is possible to do the validation either
- In package manager so that all dependencies require it
- In either or both Automatic Updates or Project Browser. Or only when using those modules in certain ways, for instance only for cron updates in Automatic Updates
It should be noted since TUF validation is done on the Composer plugin level that once a Drupal site is setup to use the TUF integration all Composer commands whether through new UIs or through the command line will require TUF validation for operations on drupal.org projects. Composer configuration would have to be updated to opt out of TUF integration
Questions that need to be answered or clarified:
- Is TUF integration an Alpha, Beta, or Stable requirement for core inclusion?
- Is TUF integration requirement the same for Package Manager, Project Browser, and Automatic Updates?
