Problem/Motivation
The Automatic Updates Initiative and the Project Browser Initiative both are creating modules that will add user interfaces for running Composer commands to add and update projects.
While this does not introduce completely new supply side attack vectors it does mean this can be triggered via the UI and in the Automatic Updates case it will introduce an unattended process that updates Drupal core(and maybe eventually other projects).
There 3 modules that will be added to core which will go through the experimental module process
- Package Manager: the API only module that makes the composer commands. It is currently a sub-module of Automatic Updates in contrib but would be its own module in core.
In addition to eventual adding of "The Update Framework" integration, this module also provides additional security hardening over using Composer directly:
- Requires https to be used for Composer
- Requires https to be used for fetching Drupal.org update XML
- Ensures that all drupal.org projects are on secure versions according to drupal.org update XML
Both the other 2 modules require this module and get this extra security hardening
- Automatic Updates: the MVP for core only updates Drupal core. It provides both a form and a cron process that updates core. It allows 3rd party vendor packages to be updated or added if required for core update. It does not allow other Drupal projects to be updated during a core update.
- Project Browser: It installs new modules and themes via Composer. 3rd party vendor packages are allowed to be updated and other dependencies It does not allow core to be updated while a new project is being installed
It has been decided to that Drupal will implement The Update Framework(TUF) to enhance security against supply side attacks.
We need to determine, or just have written down if already decided by Drupal core Release and Product managers, at what stages of the core experimental process integration with The Update Framework is required.
Technically it is possible to do the validation either
- In package manager so that all dependencies require it
- In either or both Automatic Updates or Project Browser. Or only when using those modules in certain ways, for instance only for cron updates in Automatic Updates
It should be noted since TUF validation is done on the Composer plugin level that once a Drupal site is setup to use the TUF integration all Composer commands whether through new UIs or through the command line will require TUF validation for operations on drupal.org projects. Composer configuration would have to be updated to opt out of TUF integration
Questions that need to be answered or clarified:
- Is TUF integration an Alpha requirement for Package Manager?
- Is TUF integration requirement the same for Package Manager, Project Browser, and Automatic Updates?
Proposed resolution
A production set up of the TUF is not required prior to an initial commit of Package Manager in Drupal core. This also applies to Automatic Updates and Project Browser.
A testing module to allow testing package manager/automatic updates against d.o's dev packagist endpoint might be needed for the reviews but might not be necessary if TUF is deployed on d.o production before an alpha commit anyway, or if there's a way to easily configure this without a testing module for people testing locally. Even though it hasn't been identified as a hard blocker at this point, let's try to implement a way to opt-in for TUF testing to help testing and reviewing it in the meantime, even if it's only very temporary.
Remaining tasks
Make TUF testable against Dev Repe
See #40
https://github.com/php-tuf/drupal-project/ will create a test project that will use the TUF protect DEV metadata but this does not validate this inside of Package Manager.
Here are follow-ups for this
- Github issue: Create test module to enable TUF validation in Package Manager
- Contrib module: #3416768: For testing purposes, allow PhpTufValidator to validate repositories other than packages.drupal.org