Newsgroups: php.doc,php.internals
Path: news.php.net
Xref: news.php.net php.doc:969387874 php.internals:113848
Return-Path: <dragoonis@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 30445 invoked from network); 29 Mar 2021 08:03:05 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 29 Mar 2021 08:03:05 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id A10A41804D3;
	Mon, 29 Mar 2021 01:00:03 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <dragoonis@gmail.com>
Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS;
	Mon, 29 Mar 2021 01:00:03 -0700 (PDT)
Received: by mail-ed1-f49.google.com with SMTP id w18so13245271edc.0;
        Mon, 29 Mar 2021 01:00:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=nSvAElsSQ1IGclziEDwa/itxAI+FH0KHsn5MZpxjQYg=;
        b=tjpOS+QrEfGFICPkorE9FYjP3r8nppBVVaXXxb3oIdvnGwq2WltyWP1yZcHoRr5YHD
         htpadDe2Z50h2kcVjH6V6d0Pb/Fnx4mGjqw7UJMmnoW4WJoUJLswLZrBx6Sp2WQ4G1xB
         Qey7tWmLd6lzqHhdt9JeOxcVSWWiCE+QKh5w7P31t3aEhBFPmcoOoBEDNXRENXxzqsrd
         bWRlELxU306CW7G8kJH0+moiE3XERommMeNkCJOQO8Sl24aEt6VtwDFZjwzLaaY5pwYT
         8qLJH3Mj3tFbsbqb/90/amN/2CtYX5mtqAYvsaKRXQR29Y7Kvlx63D7AVIVWH7MS/3cS
         evoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=nSvAElsSQ1IGclziEDwa/itxAI+FH0KHsn5MZpxjQYg=;
        b=Lx+w7wKvZOyTSSWhhRMhszGIIhE2Yko0+ppxpepTnhIo6s0KQmTPKKVbR4uP6Zt8j/
         +WuwcjKygZ8Ma0RcStdfn/0+tAZj685La8flwp2w0TspVMqRE0FYu8mnmk43QjzxsjHl
         1YjFPZz+jf67AdmEFUjyz2tZ4jC/eRw8+TROWsNRhzCewPUANWMJohxniPBeRFtXJkus
         kfIrX/+UDl5l0nWX6ENQuyE24QnrLCs2RzapSzGlZRvhB8QuvqvqWBmrRtjGi6BEEGLW
         UVME3nm8Rk5uSwz4ZxuPBRqFMRy4RWInu3fmCOZiGH/DonS06FKkyDCmv3P8rtvBcx9O
         yktg==
X-Gm-Message-State: AOAM533GMY1+6F5Lu3KuVxob3QfqdwmVzSILxzH+W/mm2Jo3EpbeCxd3
	/hHWksp66yWoNaH4x9CgIe0fqwqg9dbJ1duJ0Z8=
X-Google-Smtp-Source: ABdhPJyHQm04byFT1sNA0x2ly1zNzFrkj60a6IWfAm/sL0Wh855Hr6yeGEuL3Tnd4wlmkRh8SL8Lh8OWPa5QNLSg7f4=
X-Received: by 2002:a05:6402:4241:: with SMTP id g1mr27693013edb.331.1617004800351;
 Mon, 29 Mar 2021 01:00:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c9A6zG-nYzc3NNtWGjN7y5FmwqnYzjq6GSFC5NtRsOT0w@mail.gmail.com>
 <CAN2symg2SueEONzMRndsWEhj6anXmeAQwKg+HzKh-o61bcP0Qg@mail.gmail.com>
 <CAESVnVoPEitSCzmrAR2pRY4zUp4WEBc3a1b3q4H_uh1q8ebVWw@mail.gmail.com>
 <CACXBjuirpK+Jw4W8ePib3-ZUVe0EgvcxZNeN-Za15E0g-4BwRg@mail.gmail.com> <CAKxcST-hj3Z_Q0divdf3fRb5Ye62cPfQAJTKh3cy+-RePCTr3g@mail.gmail.com>
In-Reply-To: <CAKxcST-hj3Z_Q0divdf3fRb5Ye62cPfQAJTKh3cy+-RePCTr3g@mail.gmail.com>
Date: Mon, 29 Mar 2021 08:59:54 +0100
Message-ID: <CAKxcST8WZ2-VwBN+J_5ZVANA33C2gvcgdhZHo-n5nZXvqpCagw@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: Sara Golemon <pollita@php.net>, Nikita Popov <nikita.ppv@gmail.com>, 
	PHP Doc Mailing List <phpdoc@lists.php.net>, PHP internals <internals@lists.php.net>, 
	Paul Crovella <paul.crovella@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b9a26e05bea84497"
Subject: Re: [PHP-DEV] Changes to Git commit workflow
From: dragoonis@gmail.com (Paul Dragoonis)

--000000000000b9a26e05bea84497
Content-Type: text/plain; charset="UTF-8"

On Mon, 29 Mar 2021, 08:51 Paul Dragoonis, <dragoonis@gmail.com> wrote:

>
>
> On Mon, 29 Mar 2021, 02:30 Rasmus Lerdorf, <rasmus@lerdorf.com> wrote:
>
>> On Sun, Mar 28, 2021 at 17:15 Sara Golemon <pollita@php.net> wrote:
>>
>> > On Sun, Mar 28, 2021 at 6:57 PM Paul Crovella <paul.crovella@gmail.com>
>> > wrote:
>> >
>> >> You might consider requiring commits be signed while you're at it.
>> >>
>> >>
>> > I suggested this as well, and even if we don't require it, we should
>> > STRONGLY encourage it.
>> >
>> > I've been signing my commits for several years now, it's not even that
>> > hard.
>> >
>> I think for php-src commits we can require it. For doc and other repos we
>> can make it optional for now until people are more comfortable with it.
>>
>
> Hey Rasmus,
>
> This is a good compromise.
>
> However, if you leave phpweb repo without signed commits then we're at
> risk from XSS or similar attacks still, and the surface area is really big
> because literally everyone is accessing the site.
>
> Many thanks,
> Paul
>

I also wanted to say; back when I was rebuilding our website a few years
ago, when you pushed to master it would automatically deploy this to the
live site.

If we are compromised and we still automatically roll out to production,
this would make it really easy for someone.

Can someone check how we currently do this, and maybe we should reconsider
auto production deploys, even if its temporary, to be on the safe side.


>
>
>
>> -Rasmus
>>
>

--000000000000b9a26e05bea84497--