Drupal, a globally utilized open source digital experience platform and content management system, is sustained by a community of over 100,000 contributors, and supports more than 1.3 million users on Drupal.org. The Drupal Association, a non-profit organization, ensures community growth, and oversees critical aspects like packaging releases and updates for the Drupal software project.
As part of its commitment to strengthen Drupal's security, the Drupal Association is spearheading an initiative to implement automatic updates and installations of extensions within Drupal’s core. To increase the supply chain security for these updates, the project is adopting The Update Framework (TUF), a Cloud Native Computing Foundation framework designed to secure software update systems.
TUF is being implemented in two components: PHP-TUF, the client-side implementation in PHP, and Rugged, the server-side implementation used by Drupal.org to sign packages. Before being integrated into production systems, these components are subjected to an external security audit in accordance with existing best practices, further increasing confidence in the solution. The results of the security audit process will be shared so that other communities implementing TUF can benefit. In particular, the team has been in communication with Packagist.org, Joomla, and Typo3 who are following the results of this work closely.
Supply chain security is a crucial part of any automatic update system. Independent security audits are essential for ensuring the reliability and security of software components. By subjecting PHP-TUF and Rugged to a third-party security audit, the Drupal community aims to instill trust in major projects, fostering a broader adoption of TUF within the PHP ecosystem. This initiative will have a cascading positive impact on the overall security and reliability of PHP-based applications.
Given Drupal's significance in powering the digital infrastructure of major organizations and entities such as the United Nations, the European Union, and the United States government, the emphasis on security is paramount. It is also used in eCommerce, healthcare, and civic engagement platforms that require a platform that is accessible, safe, and secure. DPGA recognizes Drupal as a digital public good, and Drupal is a cornerstone in maintaining a free and open web, offering an alternative to restrictive platforms.
Automatic updates with TUF not only make Drupal more user-friendly, they also reduce ownership cost and maintenance burden. These security audits implement current best practices, as befits Drupal's position as a steward of the free and open web.
The work the Sovereign Tech Fund is commissioning will fortify the security infrastructure of Drupal and improve the user experience for developers through modernized tools and processes. It also addresses the challenge of supply chain security, crucial for mitigating vulnerabilities and ensuring data protection for Drupal sites globally.
- Staging and production deployment of secure signing for all Drupal.org hosted packages according to The Update Framework specification.
- Conduct third-party security audits of
- Drupal integration code
- PHP-TUF client and Rugged server
- Aid the Drupal community in modernizing developer tools (migration from bespoke issue tracker to GitLab)
- Optimize GitLab Continuous Integration system for enhanced performance