Drupal Association blog: Call For Interest: The Update Framework (TUF) signing server for Drupal packages

Drupal.org is the home of the Drupal community. In its 20 year history, Drupal.org has always been the central source for downloading Drupal core and all the contributed extensions that are part of the ecosystem.

As the Drupal project has first moved to support Composer for php-based dependency management, and now looks to implement an automatic updates system – we intend to significantly strengthen the security of our central package delivery.

Successful completion of this project will include implementing the python-based The Update Framework (TUF) signing server in a reliable and scalable way on Drupal.org infrastructure. These TUF signatures will be validated by the new PHP-TUF client being built for inclusion in Drupal core. 

Scope

Project scope should include Discovery, Project Management, Development, Security Review, and Quality Assurance for the following key features:

  1. Implementation of server-side of The Update Framework (TUF): https://theupdateframework.io/overview/ – preferably based on the reference implementation in Python, but we are willing to consider another existing implementation of the specification if such exists.
  2. Confirmation that the implementation is compatible with the PHP-TUF client application
  3. Support in standing up this signing service on production infrastructure for Drupal.org, in collaboration with the Drupal Association staff. 

Technical constraints and additional requirements

The chosen solution must meet the following additional technical constraints and requirements: 

Vendor requirements

The Drupal Association will consider contracts from both individual developers and agencies.

An individual must: 

  • Be a member of the Drupal Association
  • Provide a portfolio of examples of package signing or other signature-based security implementations. 

An agency must: 

  • Active Supporting Partner of the Drupal Association that qualifies for any level of the new Drupal Certified Partner Program
  • Provide a portfolio of examples of prior package signing or other signature-based security implementations. 
  • Provide a statement or link that reflects your organization’s commitment to Diversity, Equity, and Inclusion.

Other Considerations:

Please indicate if you’re willing to accept in-kind benefits if your bid comes in higher than our allocated budget. The cash portion of the budget should not exceed $30,000 USD.

The point person for this project at the Drupal Association is generally available between 4:00 PM – 11:00 PM UTC. We welcome global responses but we’d prefer meeting times to be within our standard business hours. We will make every effort to accommodate times outside of standard Pacific Time business hours.

Timeline

We would like the TUF package signing solution implemented no later than October 31st, 2021.

Individuals or Agencies who intend to participate should provide their bids and samples of portfolio work to the Drupal Association via email (tim@association.drupal.org) no later than Friday, July 29th at 5pm U.S. Pacific. Respondents will be notified of the decision no later than August 20th.


Go to Source
Author: