Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114238 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 42497 invoked from network); 28 Apr 2021 14:18:53 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 28 Apr 2021 14:18:53 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 5A52C1804DD for ; Wed, 28 Apr 2021 07:23:26 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 28 Apr 2021 07:23:25 -0700 (PDT) Received: by mail-ot1-f50.google.com with SMTP id v23-20020a9d60570000b02902a53bac99a3so3735024otj.5 for ; Wed, 28 Apr 2021 07:23:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3XvcBaTuMOzOZWeThBHV2WdO2V6UMDOTvv6msBhtVQA=; b=K6ZOpKInkK4/srageKgNMjVsIK+veGHo/sR2JQUPwlScc8JSSJc1JCozMG1zgYvstE BcZYHd+gpdR3SDgPOcJpUCga1pTTxE8Ghb6LCBp0Ss7RJE/UYgRWEYUHBiWox5bwv6Oo U9o4PJ1JrssJF2PQ2/liNwB/IO3d+ng1iy63p4vPBfR97K8xY3n+XN5tQUY1RrvGEnvZ Ip/I557QAg1Ch/FxftedjmkUHw6E8JdVYz0y2UnnHEZX2eDNYF+rplotfIba5/fdMmGz noE0fqmIl6Fh6YvyZOBH6znC5uVLfBlx841Whgsfwlmd6957L0i3V3QGxDLV4NS0qA2H 0ycw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3XvcBaTuMOzOZWeThBHV2WdO2V6UMDOTvv6msBhtVQA=; b=sqv64352rhcv2R2D5FAGqJTCvpacMnZZhLSs7gxoNvqr85lj09eW8sVGDBJlKWputu S1lv7dx0VhFA+/WDplGXTdo8oy+08YSWWUX/LxH7giyrewAnep+LrIGPphrFViUd8c3c /aOHDN4jfKarcKpgCHQUVIuieuaUcDqnuHogYxLCkzyC5V95l/rTn68pdZUxd4/q/LEw fDS1gD1Rv06SwhC+tOy+ihvX+Kg/fU06BRXjLFD9SQs/Y4ddUEji9qDJ0XvfcBIN2tMH WkKrLT4Mz48Rlu+Zwr8m1zQ92R4RF0oz8lac+0KumwpcDVIxUrL4px3rQQqa8sWHxQ5P wwqg== X-Gm-Message-State: AOAM533l+kq0USF6mqAlk8ZZGxmRjj3zozpLbr0i95nWb1dfs5d/Klpc WOgoN4nn0aAjcgzySG9TFw9RPHpDDN5PChoclu8= X-Google-Smtp-Source: ABdhPJzuiaC5N0x9vhFIGGS+3WeMtdU8qrfKg42z0KnZ6OypSqg7JYsiBeDLLfroJpNPaLwazfVMvoVRT55yjiKy8Hw= X-Received: by 2002:a9d:28d:: with SMTP id 13mr24462147otl.278.1619619804393; Wed, 28 Apr 2021 07:23:24 -0700 (PDT) MIME-Version: 1.0 References: <1fadb99e-8880-b491-9db6-a9923c4d02d2@gmx.de> In-Reply-To: Date: Wed, 28 Apr 2021 16:23:13 +0200 Message-ID: To: Nikita Popov Cc: "Christoph M. Becker" , PHP internals Content-Type: multipart/alternative; boundary="0000000000001cb56f05c1091f8b" Subject: Re: [PHP-DEV] Retire distributions repo in favor of something more suitable From: krakjoe@gmail.com (Joe Watkins) --0000000000001cb56f05c1091f8b Content-Type: text/plain; charset="UTF-8" Actually the detached signatures are not part of the normal commit process (doesn't look like they'll be in logs either), but the tag that you need to make the release archive is ... So we'd really want restriction on creating tags, somehow ... Possibly we could also emulate some of the protection that version files used to have. It's not so simple ... Cheers Joe On Wed, 28 Apr 2021 at 16:18, Joe Watkins wrote: > That's a good point. > > I suppose the most we can do is prevent accidental committing of such > things. > > Appears to be two "solutions" ... > > We could distribute a pre-commit hook, which is somewhere between "not > bad", and "pretty awkward" if your git installation is old. > We could setup one of the unused boxes we have and leverage > api/actions/whatever and catch bad commits after they happen. > > Neither of these are perfect solutions ... and I've never tried using > hooks with github, but with a quick read it seems people do it - it's > another paragraph in the git/vcs readme on the wiki. > > Any more ideas ? > > Cheers > Joe > > On Wed, 28 Apr 2021 at 15:52, Nikita Popov wrote: > >> On Tue, Apr 27, 2021 at 4:41 PM Christoph M. Becker >> wrote: >> >> > Hi all, >> > >> > the distributions repo[1] is huge (current ~ 26GiB), and it will grow >> > further over time; that causes issues when trying to check it out[2], >> > and frankly, I don't see why were having the tarballs in a VCS at all. >> > >> > Wouldn't it be more suitable to make the tarballs available somewhere >> > else? Since we're using Github anyway, an appropriate place could be >> > the tags, where it is already possible to add attachments. >> > >> > From what I can tell, that would require some modifications to web-php >> > and web-qa, so that the proper download links would be available there, >> > but otherwise shouldn't be a big issue. >> > >> >> One possible issue I see is that anyone with write access to the repo can >> upload release artifacts (I think), and I'm not even sure if changes in >> artifacts show up in the audit log. >> >> Nikita >> > --0000000000001cb56f05c1091f8b--