Unofficially the Official Solution - Tag V1?

[nrdevau]

So there's a bit of chatter in slack about the implications of rotating the encryption key (feeling like a broken record at this point) and I'm thinking, if module is prod ready (obviously it is if people are using it in prod... right?!) it would be good to tag as v1.0.0 so we can at least get it installed on composer setups that disallow alpha tags.

I understand that this isn't the official Adobe chosen solution, but it feels like it's the best solution we have to which I am incredibly grateful! <3

Ideally I'd just slap it into my staging setup and have a play, but on Magento Cloud you can't just run composer require because of file permissions/ownership, so I'm forced to do things the not tacky way, and just wanted to help in making it clear that this is what people are using :+1:

Thanks again @convenient for a great solution to a tricky problem!

[nrdevau]

I note at packagist https://repo.packagist.org/packages/gene/module-encryption-key-manager I can only see v0.0.9 (v0.0.10) is missing?

I'll install v0.0.9 for now

[convenient]

Hello @nrdevau

This module is being used in prod, we've had it on production since monday the 15th

• the CLI key generation process has been well battle tested.
• The staged reencryption of remaining data has been well tested by ourselves and others, although we cannot be certain we've covered everything yet because third party modules can do anything they like
• The invalidation process has been less tested in the community, but with promising feedback. TBH with all the steps and methods out there, including the logging step prior to the invalidation, there's no need to rush straight to this point until you're happy.

Regarding a tagged release versus alpha, i was keen to keep it alpha to show very much that its "unstable" as far as the codebase goes. We can be changing the public interfaces and internals at any point right now to get the job done. As we solidify (which we're doing rapidly i think, the refinements are getting more and more focussed) we will tag 1.0.0, i'd expect this within the coming days/weeks tbh. But in the meantime there's no material difference between that and installing the latest alpha tag?

I forgot the webhooks for packagist.org weren't fully set up, I'll do that today. https://packagist.org/packages/gene/module-encryption-key-manager#v0.0.10-alpha is available now

Does that answer your questions?

[convenient]

Packagist webhooks have been fixed now @nrdevau

Please let me know if you've any further Qs 😄

[nrdevau]

Yep, that answers them, thanks! Sign me up as technically another Alpha tester ;) I'll sing out if I run into any issues that aren't my projects 3rd party caused

[convenient]

Even if your third party modules cause issues I would like to know @nrdevau , if only to understand another classification of problem