Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122823
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id D64F21A009C
	for <internals@lists.php.net>; Sat, 30 Mar 2024 13:36:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1711805833; bh=mFXP61ihhs2cFoSAwgq2pms0x4XbjP7/wsqpGBLkMtA=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=Z4gvxw/5xR/u+HQpdSn51vHhCDxg0uFke3VooquxK0Fo7XisZFcktOfXdvNTlD3SQ
	 9w0oQgJWZr1aofnDNfw7d08rN65KpvwzYsYNSghmrneuHb4z1OthNuAzdcguNQ4lFu
	 YQtIg5FLpIYfBqbKfR+YCa3I8IsJuYIh6CYp0rdD7fwFKcxGmPq/MBNR2Y64GdKU0Q
	 PmI6dnl1p5GZeKIpD2Wmwp63mbvGqY1SfKwD94qqpgP44Ox2K/LlkaLq3lKfr+2+zE
	 bJKGxatlc4vk4ZjUg7HNm9OZdAtQqEFMFPbOmJBuxnTKz9blRMI8TE7t7ocDYGO6qC
	 yGnPkEhWD/ACQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 4B92A180041
	for <internals@lists.php.net>; Sat, 30 Mar 2024 13:37:12 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <daniil.gentili@gmail.com>
Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 30 Mar 2024 13:37:11 +0000 (UTC)
Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-513d717269fso3208348e87.0
        for <internals@lists.php.net>; Sat, 30 Mar 2024 06:36:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1711805804; x=1712410604; darn=lists.php.net;
        h=in-reply-to:from:content-language:references:to:subject:user-agent
         :mime-version:date:message-id:from:to:cc:subject:date:message-id
         :reply-to;
        bh=AdYw+iwjR8I6jpm3njpY2y9yQ/XciEX/FsoF4BTdEx4=;
        b=Or0oF54HYRWWz292TG7FsYEDOtCu6XEWKrcuSM1v5NpYxZBMYg2P2ChxuwY8sROuip
         pymlelsJgQfmz0WCCazWH7iTvyfRvUn5BiHd26d1R1k5xPmA01YK7ILM/ayWsTp5ltAX
         3dV7aimO6r/FYImAeNQVYTsFLnnkAjs8SIHA35S210ErBVyoeySL/w3BGSnVvnY0nX3X
         u/NmsQ4RWV93lZreEwWaE5TRN9u952L6ElToJTWpQVeVCLoLLBg6sPZTW77apmc4FTAP
         Cyw1K2K3EbgrVyZWC3DAS1tCdYg28XxA34iQxPwlpXuroW6oYtl9g/uQA1xoPtzaP01k
         rHuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711805804; x=1712410604;
        h=in-reply-to:from:content-language:references:to:subject:user-agent
         :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject
         :date:message-id:reply-to;
        bh=AdYw+iwjR8I6jpm3njpY2y9yQ/XciEX/FsoF4BTdEx4=;
        b=K0KLVLsV7NDWmQi9UMsMCLuS43HZkSU0Q1Ugxb5H1TN6NoihCFhy32yJRC+ondBygw
         VEwZsrkhjsZR+UV1qzj8t5dHJXCh9xGRRpHAuq0ugLSF1w8QSM6+2qqZVfWBV/PUVmx0
         RszLSV2KXM2qiBYR1agozET3R+BtVi/lmMpEZJ94lnsmUqmmr+XOB18Z1C+1a0sR+70D
         xdSPibFK7VMZ9EIWliAYuaylY3CSQxHLfohmQ7qHbA6n2uqxJQG7vd0oLgyPgVnF507x
         rSqrtov3w2844GhWNdtWjzxMX6OdRYq3JSncq/yntVuAZP3RsmKwZZU8OybAqWxkmas/
         Eihw==
X-Gm-Message-State: AOJu0Yy11nPz6eLMZrwAck3HkpiKqiarapIuISx9Q+TBJ0bC3jIsQsM9
	veg9LMJYhYwMmEaFAgm8iV8EYGTl9oV6o+JGFx2lG2vHos3kJq9MFda+Wz2y
X-Google-Smtp-Source: AGHT+IH9qNZGRoVN7J2xrpAou9/toqrbsYwODLj9aSEW/w8pfp4JbUAMKZ6RziROC6S1bY8JqWGJAA==
X-Received: by 2002:a05:6512:b91:b0:515:d325:1cbf with SMTP id b17-20020a0565120b9100b00515d3251cbfmr2306391lfv.31.1711805803423;
        Sat, 30 Mar 2024 06:36:43 -0700 (PDT)
Received: from [192.168.69.233] (as198747.daniil.it. [128.116.205.77])
        by smtp.gmail.com with ESMTPSA id h17-20020a05600c351100b00414854cd257sm8492075wmq.20.2024.03.30.06.36.42
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sat, 30 Mar 2024 06:36:43 -0700 (PDT)
Content-Type: multipart/alternative;
 boundary="------------xa51q20cUHxCgHrITK0WrYKm"
Message-ID: <cc1e1415-a4cd-4bb2-99f0-e5b05ef6582c@gmail.com>
Date: Sat, 30 Mar 2024 14:36:41 +0100
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs
To: internals@lists.php.net
References: <AM8P250MB01705B564C0F9B2F460F56B0E2392@AM8P250MB0170.EURP250.PROD.OUTLOOK.COM>
 <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com>
 <3d90e236-49d8-4f80-a6dd-3584267a83e3@php.net>
 <586c3320-b38b-47bb-9c06-6762f1eb242b@gmail.com>
Content-Language: en-US
In-Reply-To: <586c3320-b38b-47bb-9c06-6762f1eb242b@gmail.com>
From: daniil.gentili@gmail.com (Daniil Gentili)

This is a multi-part message in MIME format.
--------------xa51q20cUHxCgHrITK0WrYKm
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi,


 >The idea is that we would setup worklfow on CI that would run on tag 
push and it would call (authenticated https request) downloads.php.net 
<http://downloads.php.net> server that could do the actual build

I strongly believe that source tarballs should contain *only* the source 
code contained in the VCS.

Distributing "half-built" source code (even if it's generated by a CI, 
and especially by a build server on downloads.php.net, which can be 
compromised) defeats the reproducibility and transparency purposes of 
building from source.

 > For upstream packagers like distros I'd likely recommend using these 
tools directly anyway, and not rely on what's in the package.

Distros like arch linux already re-generate the configure scripts from 
scratch, but I believe that no distinction should be made, *everyone* 
should get a tarball containing *only* the bare source code, without 
leaving to the user the choice to re-generate the build files, or use a 
potentially compromised build script.


Regards,

Daniil Gentili.

--------------xa51q20cUHxCgHrITK0WrYKm
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Hi,<br>
    </p>
    <p><br>
      &gt;The idea is that we would setup worklfow on CI that would run
      on tag push and it would call (authenticated https request) <a
        href="http://downloads.php.net">downloads.php.net</a> server
      that could do the actual build<br>
      <br>
    </p>
    <p>I strongly believe that source tarballs should contain *only* the
      source code contained in the VCS.<br>
      <br>
      Distributing "half-built" source code (even if it's generated by a
      CI, and especially by a build server on downloads.php.net, which
      can be compromised) defeats the reproducibility and transparency
      purposes of building from source.<br>
      <br>
      &gt; For upstream packagers like distros I'd likely recommend
      using these tools directly anyway, and not rely on what's in the
      package. <br>
      <br>
    </p>
    <p>Distros like arch linux already re-generate the configure scripts
      from scratch, but I believe that no distinction should be made,
      *everyone* should get a tarball containing *only* the bare source
      code, without leaving to the user the choice to re-generate the
      build files, or use a potentially compromised build script.</p>
    <p><br>
    </p>
    <p>Regards,</p>
    <p>Daniil Gentili.<br>
    </p>
  </body>
</html>

--------------xa51q20cUHxCgHrITK0WrYKm--