Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122825
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id CEB811ADDDF
	for <internals@lists.php.net>; Sat, 30 Mar 2024 14:22:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1711808571; bh=Zc3Mihb7LlEgT87LzmUtOEsVnoznT8bt5yhgMA3fDHQ=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=nu4ayBrWb5JQKTAe89MvdDbrqd5SUhUwSy2Pzi5pj7PgqE8Xqy7w1XXI7TGi9Foe1
	 MahN7sUo0YdkkhOszTqTsLitWsGwTlcmlqiUTDNqNH6+ZuWuduAmykF+IU4M0gqkDP
	 6sbZ5kQWRVHtbRU5EYSClgHs19nvc9SZcLUAYLujXZi27ZES39SgGTB1gsHToqbBG7
	 VDJn7CntdwDVcdIWECue2t8wEJrzgBD9PkVsvEjRnNAODVpU2hkRnp3bJPe2rEmPiN
	 csAFXb7j2Nk2ptnyJ0zOnKdrBbk8mivJ3hPFFaubSkaOGf0KHTxN+BqInj5u2bDWg8
	 6t4YdOm1fZTCA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 19E1A180615
	for <internals@lists.php.net>; Sat, 30 Mar 2024 14:22:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_50,DMARC_MISSING,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <jakub.php@gmail.com>
Received: from mail-ed1-f44.google.com (mail-ed1-f44.google.com [209.85.208.44])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 30 Mar 2024 14:22:47 +0000 (UTC)
Received: by mail-ed1-f44.google.com with SMTP id 4fb4d7f45d1cf-55a179f5fa1so3295308a12.0
        for <internals@lists.php.net>; Sat, 30 Mar 2024 07:22:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711808540; x=1712413340;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=O5DfHTqPuKy1xjMVB8USa86Q6yU5+cZ475/j+xAI3SM=;
        b=oXsFrQO1SuKduDSp+3DI2cz3kCL5qzCZfdG6R7PZXXBEAXgptibHi8zyggODuXyEoe
         fEO+fZ2g3gowoji6RxJ7diaFnKSNwpm4uozDuSuLpfxAFbF/IxJOBGA2822SmHLZx70f
         iIjdzHrS7rkm4Gugc+64jVTGr+t6W+psnSUdgQ/cCybKW9Yz2mlFTUxUP1S4H1luj/Dh
         Bc+jH4vVpjoLXbCD2IZBjFIXbnfAEUYFXnMTJcQ82ehhB50O+VfXR88o1nADP/iwKopE
         fJPzSiJmlwYKjyTwnxi+DWNSftX/ikTLHdMjzPYszJ3BYPJ4OIMLV8jmVS58CNswowBn
         34RA==
X-Gm-Message-State: AOJu0YzT5OTCzlFN30wy6YF7XuWZZGPxgqLJN0b5sN9Fu0Yp14zZ7UQd
	4EHBPPPAiTnVB0+5b0BbAWxDmkcPk3G6scC2kJ96fh9ICHvUnqb/acSTqTqD+wabOImeoWNcZmb
	1iQ/JuCP1EgVv2M79rT0XtsokiQs=
X-Google-Smtp-Source: AGHT+IHFSCHXBdM9fi7XWko2/0XzUe1hnbKxjPPmE1TZCr9hhZ0wk/FBClsz/OnZUKGkAIdYvfYkJ+e3NpwrTpPC5fQ=
X-Received: by 2002:a50:8d19:0:b0:567:6447:1900 with SMTP id
 s25-20020a508d19000000b0056764471900mr3450525eds.17.1711808540099; Sat, 30
 Mar 2024 07:22:20 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
References: <AM8P250MB01705B564C0F9B2F460F56B0E2392@AM8P250MB0170.EURP250.PROD.OUTLOOK.COM>
 <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <3d90e236-49d8-4f80-a6dd-3584267a83e3@php.net>
 <586c3320-b38b-47bb-9c06-6762f1eb242b@gmail.com> <cc1e1415-a4cd-4bb2-99f0-e5b05ef6582c@gmail.com>
In-Reply-To: <cc1e1415-a4cd-4bb2-99f0-e5b05ef6582c@gmail.com>
Date: Sat, 30 Mar 2024 14:22:08 +0000
Message-ID: <CAEKnhAEMAmgoFmgCPOnV_0sxpaB5SNwRo-qFcE_YeLSduq+bHg@mail.gmail.com>
Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs
To: Daniil Gentili <daniil.gentili@gmail.com>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary="000000000000f4cf9f0614e17bb6"
From: bukka@php.net (Jakub Zelenka)

--000000000000f4cf9f0614e17bb6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi

On Sat, Mar 30, 2024 at 1:39=E2=80=AFPM Daniil Gentili <daniil.gentili@gmai=
l.com>
wrote:

> Hi,
>
>
> >The idea is that we would setup worklfow on CI that would run on tag pus=
h
> and it would call (authenticated https request) downloads.php.net server
> that could do the actual build
>
> I strongly believe that source tarballs should contain *only* the source
> code contained in the VCS.
>
That would break lots of tools as it requires extra dependencies so it is
not something that would could in stable versions. It is also pretty
standard thing to distribute configure files (which is the file that
probably matters most). Also don't forget that we need to also provide
Windows builds which are binaries so we need some sort of verification of
this type in any case.

>
> Distributing "half-built" source code (even if it's generated by a CI, an=
d
> especially by a build server on downloads.php.net, which can be
> compromised) defeats the reproducibility and transparency purposes of
> building from source.
>

It would require compromising the CI as well as the download serves
happening at the same time which seems to me like an impossible scenario.

Regards

Jakub

--000000000000f4cf9f0614e17bb6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi</div><br><div class=3D"gmail_quote"><div dir=3D"lt=
r" class=3D"gmail_attr">On Sat, Mar 30, 2024 at 1:39=E2=80=AFPM Daniil Gent=
ili &lt;<a href=3D"mailto:daniil.gentili@gmail.com">daniil.gentili@gmail.co=
m</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin=
:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"=
><u></u>

 =20
   =20
 =20
  <div>
    <p>Hi,<br>
    </p>
    <p><br>
      &gt;The idea is that we would setup worklfow on CI that would run
      on tag push and it would call (authenticated https request) <a href=
=3D"http://downloads.php.net" target=3D"_blank">downloads.php.net</a> serve=
r
      that could do the actual build<br>
      <br>
    </p>
    <p>I strongly believe that source tarballs should contain *only* the
      source code contained in the VCS.<br></p></div></blockquote><div>That=
 would break lots of tools as it requires extra dependencies so it is not s=
omething that would could in stable versions. It is also pretty standard th=
ing to distribute configure files (which is the file that probably matters =
most). Also don&#39;t forget that we need to also provide Windows builds wh=
ich are binaries so we need some sort of verification of this type in any c=
ase.=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><p>
      <br>
      Distributing &quot;half-built&quot; source code (even if it&#39;s gen=
erated by a
      CI, and especially by a build server on <a href=3D"http://downloads.p=
hp.net" target=3D"_blank">downloads.php.net</a>, which
      can be compromised) defeats the reproducibility and transparency
      purposes of building from source.<br></p></div></blockquote><div>=C2=
=A0</div><div>It would require compromising the CI as well as the download =
serves happening at the same time which seems to me like an impossible scen=
ario.</div><div><br></div><div>Regards</div><div><br></div><div>Jakub</div>=
<div><br></div></div></div>

--000000000000f4cf9f0614e17bb6--