Problem/Motivation
A security audit of the key components of the package signing infrastructure is a requirement before package manager can be committed as alpha.
The most essential non-Drupal components should be reviewed by an independent security vendor
- Rugged TUF server
- PHP TUF client library
- An integration test between these two components.
- Drupal.org's infrastructure integrating Rugged
- The collection of docker containers and their config.
- Key handling.
- Recommendation for key rotation schedule
- Composer integration plugin for PHP TUF
- The core satis mirror and signing process
Drupal-specific scope
- Composer stager (not TUF related, but relevant to the security surface area)
- Package manager - api for auto-updates and project browser
- Automatic updates (which calls composer stager, to call composer audit)
- Decision tree about when and whether to update.
- Project browser may not have extra scope necessary to audit
Remaining tasks
Confirm the list of essential components for review- scope decided at DC Pittsburgh 2023- Engage a non-Drupal security audit consultant or firm with relevant experience
- Engage a Drupal security audit consultant or firm with relevant experience
- Make changes according to recommendations