Skip to content

Use TUF to verify packages and metadata #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 52 commits into from
Apr 15, 2021
Merged

Use TUF to verify packages and metadata #6

merged 52 commits into from
Apr 15, 2021

Conversation

@phenaproxima
Copy link
Collaborator

TODO

@phenaproxima phenaproxima force-pushed the wip branch 2 times, most recently from 4c03494 to 2a3aa87 Compare March 9, 2021 18:24
@phenaproxima
Pass TUF repo to HttpDownloader.
a7a7997
@phenaproxima
Use HttpDownloaderAdapter as a central registry of TUF instances
e779856
@phenaproxima
Might have fixed it
35a09b5
@phenaproxima
Pass target key through to to downloader
4043b66
@phenaproxima
Pry into factory to init default installers
57c3c03
@phenaproxima
Set global loop
d858d8e
@phenaproxima
Giant god damn mess
0b1188a
@phenaproxima
Create uninstall routine
8e492cf
@phenaproxima
Make it easier to swap the downloader
e12f8a9
@phenaproxima
Add UrlMap decorator
f01e30d
@phenaproxima
Clean up PackageLoader
42d3241
@phenaproxima
Make UrlMapDecorator an ArrayObject
5da2538
@phenaproxima
Clean up repo parts
dc0e2c6
@phenaproxima
Fix bad factory invocations
b807213
@phenaproxima
Document repo constructor logic
afa3491
@phenaproxima
Minor cleanup in HttpDownloader
229cbd4
@phenaproxima
Use array for promise queue
acbb3ff
@phenaproxima
Add accessor for decorated downloader
544703d
@phenaproxima
Use event to handle processed URL
3a9ad57
@phenaproxima
A bit of documentation
ce80bf8
@phenaproxima
Rename register() to addRepository()
dfa0254
@phenaproxima
Docs
40f8119
@phenaproxima phenaproxima mentioned this pull request Apr 5, 2021
Open
davidstrauss
davidstrauss approved these changes Apr 7, 2021
View reviewed changes
Copy link

@davidstrauss davidstrauss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar enough with Composer internals to comment on the integration architecture, but this looks like it should work exactly how we discussed.

Condolences on not being able to use Xdebug on the plugin. :-( I suspect this also means you can't use Composer plugins if you disable eval calls.

My only other thought on seeing this was how modern the PHP code is. In almost every sense, this is great, but I assume we must be setting a pretty high minimum PHP requirement for users. Yet, if that's what Composer does (use very modern PHP), maybe we don't have much choice?

@effulgentsia
Copy link

My only other thought on seeing this was how modern the PHP code is. In almost every sense, this is great, but I assume we must be setting a pretty high minimum PHP requirement for users. Yet, if that's what Composer does (use very modern PHP), maybe we don't have much choice?

Composer 2.0 supports PHP 5.3.2, but per composer/composer#9303, Composer 2.1 or 2.2 plans to set the minimum to PHP 7.1.3.

This plugin should probably explicitly set its PHP minimum to 7.1.3 in its composer.json and not use syntax beyond that. Or, if there are later PHP features that we really need, then let's open an issue to discuss raising that minimum to see if that's ok with the PHP projects that intend to use this.

@phenaproxima
Copy link
Collaborator Author

phenaproxima commented Apr 12, 2021
edited
Loading

This plugin should probably explicitly set its PHP minimum to 7.1.3 in its composer.json and not use syntax beyond that.

Why? PHP-TUF itself requires PHP 7.2.5 or later (probably because of the Sodium dependency), so we should probably require the same minimum as PHP-TUF itself, no? Everything I did in this plugin assumes PHP 7.2 or later.

@effulgentsia
Copy link

Well, yeah, if PHP-TUF itself requires PHP 7.2.5, then that's an ok minimum for this plugin as well.

@effulgentsia
Copy link

I don't know if there's an issue where PHP minimum version was discussed, but TYPO3 10 and Joomla 4 require PHP 7.2, so we're good there.

PHP 7.1 has extended support in Zend Server until Jan. 2023, but that doesn't mean that we need to cater to that if there's a good reason why we need PHP 7.2, and it sounds like there is.

@phenaproxima
Copy link
Collaborator Author

PHP-TUF could theoretically use something like paragonie/sodium_compat if we wanted to support older versions, but PHP 7.2 has been unsupported for 4 months at this point anyway (according to https://www.php.net/eol.php), so IMHO it makes more sense to just stick with our existing minimums and bump them later when we need to.

@phenaproxima phenaproxima changed the title Use TUF to transparently download and verify packages and metadata Use TUF to verify packages and metadata Apr 15, 2021
@phenaproxima phenaproxima merged commit 2bf2e57 into main Apr 15, 2021
@phenaproxima phenaproxima deleted the wip branch April 15, 2021 12:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tedbow tedbow tedbow left review comments

@davidstrauss davidstrauss davidstrauss approved these changes

@TravisCarden TravisCarden Awaiting requested review from TravisCarden

@effulgentsia effulgentsia Awaiting requested review from effulgentsia

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@phenaproxima @effulgentsia @davidstrauss @tedbow