Closed drumm closed 3 months ago
My initial reaction is to make this a per-repository configuration option, because although packages.drupal.org doesn't bother signing metapackages, other repositories might. Metapackages do, it seems, have dist information (at least based on what I'm seeing in https://packagist.org/packages/drupal/core-recommended.json), so it's conceivable that someone might want to sign a metapackage even though there's no payload associated with it.
So maybe we could have something like this (say, in a project's composer.json):
"repositories": {
"drupal": {
"type": "composer",
"url": "https://packages.drupal.org/8",
"tuf": {
"ignore-package-types": ["metapackage"]
{
}
}
Thoughts?
My understanding is that metapackages would behave the same, regardless of source. This behavior is implemented in the Composer client. The only exceptions would be if a Composer plugin changed the behavior to download the dist file; or if a future version of Composer changed the behavior. The dist
information from Packagist.org is vestigial, its easier for them to not make metapackages special, even if the client doesn’t need the data.
Then maybe just explicitly skipping metapackages is fine, at least for now.
This is caused by
drupal/core-recommended/10.2.2.0
not being something that should be processed or downloaded because Composer metapackages are special.Our mirror for
drupal/*
packages on Packagist.org uses Satis, which uses Composer to decide what to download. So it does not download dist files for metapackages. This means we don't mirror those and they do not get signed as targets.dist
data is present in the composer json files, but those are pretty much vestigial. This shows up as https://signed-packagist.staging.devdrupal.org/p2/drupal/core-recommended.json not having rewritten the URLs from GitHub.Solution
The quick solution would be to add
if (metapackage) { skip looking at dist }
to the right place.A more-correct solution might be using https://github.com/composer/composer/blob/11e5237ad9d9e8f29bdc57d946f87c816320d863/src/Composer/Installer/MetapackageInstaller.php#L59 in some way to not hard-code metapackage behavior, and anything similar found.