Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114240 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 46441 invoked from network); 28 Apr 2021 14:43:37 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 28 Apr 2021 14:43:37 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 972D31804DD for ; Wed, 28 Apr 2021 07:48:10 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 28 Apr 2021 07:48:10 -0700 (PDT) Received: by mail-lf1-f41.google.com with SMTP id 124so18630812lff.5 for ; Wed, 28 Apr 2021 07:48:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/gtqFs0PldQZ8ZyDeYtwPo5Tcht0ymVG6QJjznZPdws=; b=OtMeTfr6NeX9ttoQ5TgI7Qu08OdBWeQStBzWQN6XaapucEAhbf/2VwKzl7Rzq1avq+ Cv46/Ty8cT5XhkI0Gp8WNL/APAk7iVEcfA3bJ+T4q4Y4p1oLF1dJxl18hibxAmlvH2lU ocq3tEE2+2aUEOFztO/+43iamPNUypY2mPZwrryyRqyrYo5D3GrM2GlizZpTycZwlwC6 MqB8HACxlcuyYxQDDzuRimGuadHmjie0P30e+a4yLN0xR69Sr3qZc4LHgj1R9cPyWbM5 RvvZJtMPIQ2ZZMvxDuazenTF53SoBqhcIzFHxoImnI+6agJksJ6XzEs4LEN2Zs8lOUwR 7wVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/gtqFs0PldQZ8ZyDeYtwPo5Tcht0ymVG6QJjznZPdws=; b=PoSFTjVpba/mliOixkrEFv78a1003OuK+NygX1JcGMRUwfFdEOD4B0gI1/VGqKAtoO mdecU086yXQvD1ctSe9LxNG4Qvl5YFBnaU85dva744qaHrH2BRaM+lvmJWhO2dCkfqOs XGXFjshwdHEYLldoJN7ZglqEc4c8ozeB71/l4rsctNsqZniCN0G4nGMhU9rT9ol2cZI6 3ndS0mH1vUtgV0tJLshESSgaOoKZMkgrC6f6Iz9x6Kdp2p+l+kU+XlLWHRqxBb8Nv0Sl KQJKFL/9DBDMLLituTreQD316ekZ+8ULlgJSHcSzZxMQg/ceI+TAFae1+vxCnoFfg52D vUUQ== X-Gm-Message-State: AOAM532d++xAri4EcsfV0OjpY92+aMCVeNImWRPc1K+ohETLUhc9Amzr yGhNdfV29n7ugvBeHtsRXHifsYj2TYxCSL842xI= X-Google-Smtp-Source: ABdhPJwm3YBdApFTtWewdqYCXH6wCe69CXT6kH16QJJQWqAcIFCgQSsRhWVw55DObTiVLtKAcQTtBTqkWWv9Fy/UvzQ= X-Received: by 2002:ac2:5f6a:: with SMTP id c10mr21981210lfc.286.1619621288755; Wed, 28 Apr 2021 07:48:08 -0700 (PDT) MIME-Version: 1.0 References: <1fadb99e-8880-b491-9db6-a9923c4d02d2@gmx.de> In-Reply-To: Date: Wed, 28 Apr 2021 16:47:52 +0200 Message-ID: To: Joe Watkins Cc: "Christoph M. Becker" , PHP internals Content-Type: multipart/alternative; boundary="0000000000009643f805c109779e" Subject: Re: [PHP-DEV] Retire distributions repo in favor of something more suitable From: nikita.ppv@gmail.com (Nikita Popov) --0000000000009643f805c109779e Content-Type: text/plain; charset="UTF-8" On Wed, Apr 28, 2021 at 4:18 PM Joe Watkins wrote: > That's a good point. > > I suppose the most we can do is prevent accidental committing of such > things. > > Appears to be two "solutions" ... > > We could distribute a pre-commit hook, which is somewhere between "not > bad", and "pretty awkward" if your git installation is old. > We could setup one of the unused boxes we have and leverage > api/actions/whatever and catch bad commits after they happen. > > Neither of these are perfect solutions ... and I've never tried using > hooks with github, but with a quick read it seems people do it - it's > another paragraph in the git/vcs readme on the wiki. > > Any more ideas ? > > Cheers > Joe > I don't think the tags themselves are a problem -- for those at least we have an audit trail in the form of our webhook integration, which sends out emails for all tag creations/deletions, and by whom they were made. I'm not even sure if our old karma setup had any special protection for tag creation. Having looked a bit closer now, it looks like the same would work for release assets as well. There are webhooks for changes to releases, which also list assets and who uploaded them. That should at least make us aware of any changes. Nikita > On Wed, 28 Apr 2021 at 15:52, Nikita Popov wrote: > >> On Tue, Apr 27, 2021 at 4:41 PM Christoph M. Becker >> wrote: >> >> > Hi all, >> > >> > the distributions repo[1] is huge (current ~ 26GiB), and it will grow >> > further over time; that causes issues when trying to check it out[2], >> > and frankly, I don't see why were having the tarballs in a VCS at all. >> > >> > Wouldn't it be more suitable to make the tarballs available somewhere >> > else? Since we're using Github anyway, an appropriate place could be >> > the tags, where it is already possible to add attachments. >> > >> > From what I can tell, that would require some modifications to web-php >> > and web-qa, so that the proper download links would be available there, >> > but otherwise shouldn't be a big issue. >> > >> >> One possible issue I see is that anyone with write access to the repo can >> upload release artifacts (I think), and I'm not even sure if changes in >> artifacts show up in the audit log. >> >> Nikita >> > --0000000000009643f805c109779e--