Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough

RFP/Call For Interest: The Update Framework (TUF) signing server for Drupal packages

Parent Feed: 

 Drupal AssociationUpdate 1: The deadline for letters of interest has been made open-ended.

Drupal.org is the home of the Drupal community. In its 20 year history, Drupal.org has always been the central source for downloading Drupal core and all the contributed extensions that are part of the ecosystem.

As the Drupal project has first moved to support Composer for php-based dependency management, and now looks to implement an automatic updates system - we intend to significantly strengthen the security of our central package delivery.

Successful completion of this project will include implementing the python-based The Update Framework (TUF) signing server in a reliable and scalable way on Drupal.org infrastructure. These TUF signatures will be validated by the new PHP-TUF client being built for inclusion in Drupal core. 

Scope

Project scope should include Discovery, Project Management, Development, Security Review, and Quality Assurance for the following key features:

  1. Implementation of server-side of The Update Framework (TUF): https://theupdateframework.io/overview/ - preferably based on the reference implementation in Python, but we are willing to consider another existing implementation of the specification if such exists.
  2. Confirmation that the implementation is compatible with the PHP-TUF client application
  3. Support in standing up this signing service on production infrastructure for Drupal.org, in collaboration with the Drupal Association staff. 

Technical constraints and additional requirements

The chosen solution must meet the following additional technical constraints and requirements: 

Vendor requirements

The Drupal Association will consider contracts from both individual developers and agencies.

An individual must: 

  • Be a member of the Drupal Association
  • Provide a portfolio of examples of package signing or other signature-based security implementations. 

An agency must: 

  • Active Supporting Partner of the Drupal Association that qualifies for any level of the new Drupal Certified Partner Program
  • Provide a portfolio of examples of prior package signing or other signature-based security implementations. 
  • Provide a statement or link that reflects your organization's commitment to Diversity, Equity, and Inclusion.

Other Considerations:

Please indicate if you’re willing to accept in-kind benefits if your bid comes in higher than our allocated budget. The cash portion of the budget should not exceed $30,000 USD.

The point person for this project at the Drupal Association is generally available between 4:00 PM - 11:00 PM UTC. We welcome global responses but we’d prefer meeting times to be within our standard business hours. We will make every effort to accommodate times outside of standard Pacific Time business hours.

Timeline

We would like the TUF package signing solution implemented no later than October 31st, 2021.

Individuals or Agencies who intend to participate should provide their bids and samples of portfolio work to the Drupal Association via email ([email protected]) no later than Friday, July 29th at 5pm U.S. Pacific. Respondents will be notified of the decision no later than August 20th.

Author: 
Original Post: 

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web