Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122827
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id D0DF51A009C
	for <internals@lists.php.net>; Sat, 30 Mar 2024 15:31:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1711812696; bh=d0PKvQckud1YpBxHFiGL0JJiREj1aZK9LNgX7N58V2Q=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=ec+hpAh3TAG3edkRw/KjlC1/92pWDqY8eXsxhaZ7aOa8bcOYC3LlvoGBlgnbaKRv0
	 XxHTJFRU29x896bM4dArCbPFpigmWbPOSEGBtnWkonI0OEAKD9ekko5J4xBUfXiBwB
	 ewzOpZovjT1ocAzdL2gptrVcWTmO1xHN3okH4n5vVtV1KkrtMvUym3+wZYfb8vrDTV
	 HZO1+IaZsudpWkUyzmvnZTdtOtfPeNwkbeK1hiqpctXwpfSkqN/Tc/ZzjxxI1qIVLp
	 uw+M1ZBKVuFVjUDsFEqiEVrlopT2SFT2f3InYS9DE0wH9LMH6Nd721HC55hHHx6UHh
	 J+2hWLeAXHSdQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 342C918006C
	for <internals@lists.php.net>; Sat, 30 Mar 2024 15:31:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <daniil.gentili@gmail.com>
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 30 Mar 2024 15:31:32 +0000 (UTC)
Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-341ccef5058so1978365f8f.2
        for <internals@lists.php.net>; Sat, 30 Mar 2024 08:31:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1711812665; x=1712417465; darn=lists.php.net;
        h=in-reply-to:from:content-language:references:to:subject:user-agent
         :mime-version:date:message-id:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Up9vMHE5yvzgT1m52dPFvtvD9VU1RR68bUEYpfZNXNE=;
        b=dF7saH+m1snykBE+3JHo03sNWeqA2BlggWnIhw15J0P5XezWiUIDxzz9gn8smCia0J
         7SURo948iNy/FgNNKzthuixtCYjgifsYdEF6L1MS62S7buC3CY7bFFqEbAAHUdJDgSln
         Y4VkfWhV8TUgq1/9bAwlOT3uv5d+65+WaqXe1Jp3lHyRSuqdNsbTxK6nzt2/Vz4xpmDd
         i1UdsdwO+t2FGYcH4UedVrIzQsdpzsUmWJW55oGRzJ9UIZtrBvLp7Mgp34uh8kWySjQd
         qrJMIQuyIwBzzaU+28AXed8NbK2OngJykSE5r/r311v+VPEriRSruA+C9ZdlsSbtF8k0
         wfhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711812665; x=1712417465;
        h=in-reply-to:from:content-language:references:to:subject:user-agent
         :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Up9vMHE5yvzgT1m52dPFvtvD9VU1RR68bUEYpfZNXNE=;
        b=o3ltyImibq5khkTrolAnixbmBpj0Qd7RJHSka4uIZG8JGKh7TG9pzWq3tkSPXztx5d
         XsVItG41fLmPxqqllwRqB+B1vOytwz0ic/oYuzp+RUCty67u9+bNZT7xYZJVa/nDde8q
         s31khTSQyvzuNQ9c2szfhgzRDbeHKjhFavCCN4l3nTdbJZE367yWIa2BEIY/ptgJfmpR
         NSpngHXcTOo5bv0FoLUCA9+bXEQxoDBop0vN4Q600NUUu5DS4mYqhIyDUsvoySngOwve
         oc6j5i9NPQgwrSSxTZFbo9Z6HOpH7Dz2zsLe2hXhfaURzFlURrjgNY8xJBLFPRUAfyEF
         4PpA==
X-Gm-Message-State: AOJu0YxrJsOT3dE+FReCnoh63LoGunMVFiIrgOOP2+wEY5tPVoKgNfPe
	m5eIcpLVts8JqIyZHOA/ajg1GABjrrBVGIoMyTugvckA0/sdBJA/1rD5TyJV
X-Google-Smtp-Source: AGHT+IF/NoEBVGMOnGtjy0UTmt7+If4PkP4AM13pBZ2Ac2aZVtiFcjO8Qcb8c3xZ5lzzIXDpk+ralQ==
X-Received: by 2002:adf:e586:0:b0:33e:bc7e:cadb with SMTP id l6-20020adfe586000000b0033ebc7ecadbmr3362927wrm.41.1711812664618;
        Sat, 30 Mar 2024 08:31:04 -0700 (PDT)
Received: from [192.168.69.233] (as198747.daniil.it. [128.116.205.77])
        by smtp.gmail.com with ESMTPSA id e11-20020a056000194b00b00341c6b53358sm6627604wry.66.2024.03.30.08.31.03
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sat, 30 Mar 2024 08:31:04 -0700 (PDT)
Content-Type: multipart/alternative;
 boundary="------------g8XPHx7PzDoY74ZS93OpVAzE"
Message-ID: <88decedd-aaf9-43b5-8b65-42d6e1cbf945@gmail.com>
Date: Sat, 30 Mar 2024 16:31:02 +0100
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs
To: internals@lists.php.net
References: <AM8P250MB01705B564C0F9B2F460F56B0E2392@AM8P250MB0170.EURP250.PROD.OUTLOOK.COM>
 <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com>
 <3d90e236-49d8-4f80-a6dd-3584267a83e3@php.net>
 <586c3320-b38b-47bb-9c06-6762f1eb242b@gmail.com>
 <cc1e1415-a4cd-4bb2-99f0-e5b05ef6582c@gmail.com>
 <CAEKnhAEMAmgoFmgCPOnV_0sxpaB5SNwRo-qFcE_YeLSduq+bHg@mail.gmail.com>
Content-Language: en-US
In-Reply-To: <CAEKnhAEMAmgoFmgCPOnV_0sxpaB5SNwRo-qFcE_YeLSduq+bHg@mail.gmail.com>
From: daniil.gentili@gmail.com (Daniil Gentili)

This is a multi-part message in MIME format.
--------------g8XPHx7PzDoY74ZS93OpVAzE
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi,
> It is also pretty standard thing to distribute configure files (which 
> is the file that probably matters most).

The current standard way of distributing generated configure files in 
tarballs is precisely what allowed the xz supply chain attack to go 
unnoticed for so long.

I strongly believe all projects using autotools, including PHP, should 
switch away from this "standard" way of doing things.

> Also don't forget that we need to also provide Windows builds which 
> are binaries so we need some sort of verification of this type in any 
> case.

Of course, build reproducibility is a very good thing, but when a user 
downloads a binary, they're aware that they're getting a compiled blob 
which might contain injected malicious code (especially if there's no 
build reproducibility); when a user downloads a source tarball, there's 
a false sense of security rooted in the mistaken belief that the source 
code in the tarball matches the one distributed in the VCS, but in 
reality, the tarball also contains potentially malicious semi-compiled 
blobs, not present in the VCS.

> It would require compromising the CI as well as the download serves 
> happening at the same time which seems to me like an impossible scenario.
>
I misunderstood your original message, I thought you meant that there 
would be some new CI system hosted on downloads.php.net dedicated to 
verifying, not the current GHA CI system, which is configured on the 
public VCS.

If GHA is used for verifying builds, that would make more sense, but 
then users would be required to check the status of a github pipeline to 
validate that the tarball was not compromised (or alternatively clone 
from source and re-generate the build scripts manually, or simply trust 
the release manager, which brings us to square 1).


Regards,

Daniil Gentili.

--------------g8XPHx7PzDoY74ZS93OpVAzE
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Hi,<br>
    <blockquote type="cite"
cite="mid:CAEKnhAEMAmgoFmgCPOnV_0sxpaB5SNwRo-qFcE_YeLSduq+bHg@mail.gmail.com">
      <div dir="ltr">
        <div class="gmail_quote">
          <div>It is also pretty standard thing to distribute configure
            files (which is the file that probably matters most).</div>
        </div>
      </div>
    </blockquote>
    <p>The current standard way of distributing generated configure
      files in tarballs is precisely what allowed the xz supply chain
      attack to go unnoticed for so long.</p>
    <p>I strongly believe all projects using autotools, including PHP,
      should switch away from this "standard" way of doing things.<br>
      <br>
    </p>
    <blockquote type="cite"
cite="mid:CAEKnhAEMAmgoFmgCPOnV_0sxpaB5SNwRo-qFcE_YeLSduq+bHg@mail.gmail.com">
      <div dir="ltr">
        <div class="gmail_quote">
          <div> Also don't forget that we need to also provide Windows
            builds which are binaries so we need some sort of
            verification of this type in any case. <br>
          </div>
        </div>
      </div>
    </blockquote>
    <p>Of course, build reproducibility is a very good thing, but when a
      user downloads a binary, they're aware that they're getting a
      compiled blob which might contain injected malicious code
      (especially if there's no build reproducibility); when a user
      downloads a source tarball, there's a false sense of security
      rooted in the mistaken belief that the source code in the tarball
      matches the one distributed in the VCS, but in reality, the
      tarball also contains potentially malicious semi-compiled blobs,
      not present in the VCS.<br>
    </p>
    <blockquote type="cite"
cite="mid:CAEKnhAEMAmgoFmgCPOnV_0sxpaB5SNwRo-qFcE_YeLSduq+bHg@mail.gmail.com">
      <div dir="ltr">
        <div class="gmail_quote">
          <div> </div>
          <div>It would require compromising the CI as well as the
            download serves happening at the same time which seems to me
            like an impossible scenario.</div>
          <br>
        </div>
      </div>
    </blockquote>
    <p>I misunderstood your original message, I thought you meant that
      there would be some new CI system hosted on downloads.php.net
      dedicated to verifying, not the current GHA CI system, which is
      configured on the public VCS.</p>
    <p>If GHA is used for verifying builds, that would make more sense,
      but then users would be required to check the status of a github
      pipeline to validate that the tarball was not compromised (or
      alternatively clone from source and re-generate the build scripts
      manually, or simply trust the release manager, which brings us to
      square 1).</p>
    <p><br>
    </p>
    <p>Regards,</p>
    <p>Daniil Gentili.<br>
    </p>
  </body>
</html>

--------------g8XPHx7PzDoY74ZS93OpVAzE--