Do not download dist file targets for metapackages

[drumm]

Installation failed, reverting ./composer.json and ./composer.lock to their original content.

In ComposerRepository.php line 1450:

  Could not load packages drupal/core-recommended in composer repo (https://signed-packagist.staging.devdrupal.org/) from cached file (provider-drupal~core-recommended.json originating from https://signed-packa/  
  gist.staging.devdrupal.org/p2/drupal/core-recommended.json): [Tuf\Exception\NotFoundException] Target not found: drupal/core-recommended/10.2.2.0                                                                

In ComposerCompatibleUpdater.php line 64:

  Target not found: drupal/core-recommended/10.2.2.0  

require [--dev] [--dry-run] [--prefer-source] [--prefer-dist] [--prefer-install PREFER-INSTALL] [--fixed] [--no-suggest] [--no-progress] [--no-update] [--no-install] [--no-audit] [--audit-format AUDIT-FORMAT] [--update-no-dev] [-w|--update-with-dependencies] [-W|--update-with-all-dependencies] [--with-dependencies] [--with-all-dependencies] [--ignore-platform-req IGNORE-PLATFORM-REQ] [--ignore-platform-reqs] [--prefer-stable] [--prefer-lowest] [-m|--minimal-changes] [--sort-packages] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--apcu-autoloader-prefix APCU-AUTOLOADER-PREFIX] [--] [<packages>…]

This is caused by drupal/core-recommended/10.2.2.0 not being something that should be processed or downloaded because Composer metapackages are special.

• Documented at https://github.com/composer/composer/blob/11e5237ad9d9e8f29bdc57d946f87c816320d863/doc/07-runtime.md?plain=1#L110
• Implemented at https://github.com/composer/composer/blob/11e5237ad9d9e8f29bdc57d946f87c816320d863/src/Composer/Installer/MetapackageInstaller.php#L59

Our mirror for drupal/* packages on Packagist.org uses Satis, which uses Composer to decide what to download. So it does not download dist files for metapackages. This means we don't mirror those and they do not get signed as targets. dist data is present in the composer json files, but those are pretty much vestigial. This shows up as https://signed-packagist.staging.devdrupal.org/p2/drupal/core-recommended.json not having rewritten the URLs from GitHub.

Solution

The quick solution would be to add if (metapackage) { skip looking at dist } to the right place.

A more-correct solution might be using https://github.com/composer/composer/blob/11e5237ad9d9e8f29bdc57d946f87c816320d863/src/Composer/Installer/MetapackageInstaller.php#L59 in some way to not hard-code metapackage behavior, and anything similar found.

[phenaproxima]

My initial reaction is to make this a per-repository configuration option, because although packages.drupal.org doesn't bother signing metapackages, other repositories might. Metapackages do, it seems, have dist information (at least based on what I'm seeing in https://packagist.org/packages/drupal/core-recommended.json), so it's conceivable that someone might want to sign a metapackage even though there's no payload associated with it.

So maybe we could have something like this (say, in a project's composer.json):

"repositories": {
  "drupal": {
    "type": "composer",
    "url": "https://packages.drupal.org/8",
    "tuf": {
      "ignore-package-types": ["metapackage"]
    {
  }
}

Thoughts?

[drumm]

My understanding is that metapackages would behave the same, regardless of source. This behavior is implemented in the Composer client. The only exceptions would be if a Composer plugin changed the behavior to download the dist file; or if a future version of Composer changed the behavior. The dist information from Packagist.org is vestigial, its easier for them to not make metapackages special, even if the client doesn’t need the data.

[phenaproxima]

Then maybe just explicitly skipping metapackages is fine, at least for now.