Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122830 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id ABF751A009C for ; Sat, 30 Mar 2024 18:24:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1711823124; bh=Eh7Wt6wsj4sLeljnkVZ4Bhdc9LEAZrZWK+lMU8VbIqg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=b9NMTChBqGObLm/3omTXfGKY9ZiYWA84W2mM+u/tVgVGv89+EsQ1si+eEkLxikTYk 5WP6WcJhqVuUqG92v8oNFBFzSAb2NIU+HoJ1y/D0EL3a/eEYzPWGBJSbzRQ4T4P/TW H1UbovdgHgKJjhtYRIxg7koOvyLb8679Mz5r98GIzI3UD/v/0P5IBtp8ybTDtx8CI3 /auS0d3iv3cgeh8grUTaDWv4lPCta8pN28ize4/rcoh1q/EfQo7qtIEJKfk+PHaGXL BZtqcG7ftTPF8StFjBa6t8BMjFkZFSWDx4TYPO7A55dpIuolMfoLYkC7Ils+ZL5m8e DqnhzkAtk9akA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 927D81806A0 for ; Sat, 30 Mar 2024 18:25:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_50,DMARC_MISSING, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 30 Mar 2024 18:25:23 +0000 (UTC) Received: by mail-ej1-f51.google.com with SMTP id a640c23a62f3a-a46d0a8399aso654788866b.1 for ; Sat, 30 Mar 2024 11:24:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711823095; x=1712427895; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MQPNqwU56lRpaz2zHTyELbdYXgjNI3lKuhfDq9NxBeA=; b=YFWRmpF8LgfvSo0UnE5dHgEIOvstEJaYKAiOOpEPt/X6PpAkXPp368NTjRv3vmOWwM 1ykTmc1fggVHZFn4B00EO71BmrI9tW3cr2yychAe3k4sm1iB+du/GtCwSFtcwxTTpihf bKYG8cUXHFDrAb0+zorSY3VyxZBiYFDZ2nRzZoBnDkkOXdTMdLgln04cIXxPYhPHlzU1 /nZTVji0fTpKlOCgU3liRb/p/MeFsd709tLY4M70FJH7DNspKa+snXvoEWYJGvlSuQr4 HnqZ0VRAs2UNsttvPVsbhiJ9oCuI/qLA8jZ6LSkRmyVsO0PkKOTp88O4qoB7StZNVU36 O8/g== X-Gm-Message-State: AOJu0YyBdNiSfQED0p3TwmUvV6QYJ72iXd9O4nKmlpI9wlf5j/JvUKxM 3JxueO/BVxglz+B5ZL2z/7QGZVS0sBe28IHNuWV0bcH3muzMsC8AzwotoE+bI+bQBAT6vtpEw82 +khe135l546C1faQjKje3KMhpAeo= X-Google-Smtp-Source: AGHT+IGL69l15+eggn1Q+gsO3LzjFOr/i6F6E7tpu19SeZD+hCRhj7IQjSmjFE3GDTDlNotdlox6719EGViy0Bi+35w= X-Received: by 2002:a05:6402:5107:b0:56b:d013:a67e with SMTP id m7-20020a056402510700b0056bd013a67emr5148588edd.18.1711823095003; Sat, 30 Mar 2024 11:24:55 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 References: <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <3d90e236-49d8-4f80-a6dd-3584267a83e3@php.net> <586c3320-b38b-47bb-9c06-6762f1eb242b@gmail.com> <88decedd-aaf9-43b5-8b65-42d6e1cbf945@gmail.com> In-Reply-To: <88decedd-aaf9-43b5-8b65-42d6e1cbf945@gmail.com> Date: Sat, 30 Mar 2024 18:24:43 +0000 Message-ID: Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs To: Daniil Gentili Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary="0000000000007f043d0614e4df8f" From: bukka@php.net (Jakub Zelenka) --0000000000007f043d0614e4df8f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, On Sat, Mar 30, 2024 at 3:33=E2=80=AFPM Daniil Gentili wrote: > It is also pretty standard thing to distribute configure files (which is > the file that probably matters most). > > The current standard way of distributing generated configure files in > tarballs is precisely what allowed the xz supply chain attack to go > unnoticed for so long. > > Do you think it would be different if the change happened in the distributed source file instead? I mean you could still modify tarball of the distributed file (e.g. hide somewhere in configure.ac or in our case more easily in less visible files like various Makefile.frag and similar). The only thing that you get by using just VCS files is that people could hash the distributed content of the files and compare it with the hash of the VCS files but does anyone do this sort of verification? If you meant using Git archive, then it's not a good idea because it doesn't have a long term hash stability: https://github.com/orgs/community/discussions/46034 . > I strongly believe all projects using autotools, including PHP, should > switch away from this "standard" way of doing things. > > Also don't forget that we need to also provide Windows builds which are > binaries so we need some sort of verification of this type in any case. > > Of course, build reproducibility is a very good thing, but when a user > downloads a binary, they're aware that they're getting a compiled blob > which might contain injected malicious code (especially if there's no bui= ld > reproducibility); when a user downloads a source tarball, there's a false > sense of security rooted in the mistaken belief that the source code in t= he > tarball matches the one distributed in the VCS, but in reality, the tarba= ll > also contains potentially malicious semi-compiled blobs, not present in t= he > VCS. > > > It would require compromising the CI as well as the download serves > happening at the same time which seems to me like an impossible scenario. > > I misunderstood your original message, I thought you meant that there > would be some new CI system hosted on downloads.php.net dedicated to > verifying, not the current GHA CI system, which is configured on the publ= ic > VCS. > > If GHA is used for verifying builds, that would make more sense, but then > users would be required to check the status of a github pipeline to > validate that the tarball was not compromised (or alternatively clone fro= m > source and re-generate the build scripts manually, or simply trust the > release manager, which brings us to square 1). > As noted above, you would need to do much more involved verification if only generated source codes were removed. With GHA it would be just failed build and we could integrate notification (e.g. to Foundation Slack) so more people could be easily aware if there is such problem. Regards Jakub --0000000000007f043d0614e4df8f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

On Sat, Mar 30, 2024 at 3:33=E2=80=AFPM Daniil Gen= tili <daniil.gentili@gmail.c= om> wrote:
It is also pretty standard thing to distribute configure files (which is the file that probably matters most).

The current standard way of distributing generated configure files in tarballs is precisely what allowed the xz supply chain attack to go unnoticed for so long.


Do you think it would be = different if the change happened in the distributed source file instead? I = mean you could still modify tarball of the distributed file (e.g. hide some= where in configure.ac or in our case mo= re easily in less visible files like various Makefile.frag and similar). Th= e only thing that you get by using just VCS files is that people could hash= the distributed content of the files and compare it with the hash of the V= CS files but does anyone do this sort of verification?

=
If you meant using Git archive, then it's not a good idea because = it doesn't have a long term hash stability:=C2=A0https://github.com/orgs/community= /discussions/46034 .=C2=A0
=C2=A0

I strongly believe all projects using a= utotools, including PHP, should switch away from this "standard" way of doing things= .

Also don't forget that we need to also provide Windows builds which are binaries so we need some sort of verification of this type in any case.

Of course, build reproducibility is a very good thing, but when a user downloads a binary, they're aware that they're getting a compiled blob which might contain injected malicious code (especially if there's no build reproducibility); when a user downloads a source tarball, there's a false sense of security rooted in the mistaken belief that the source code in the tarball matches the one distributed in the VCS, but in reality, the tarball also contains potentially malicious semi-compiled blobs, not present in the VCS.

=C2=A0
It would require compromising the CI as well as the download serves happening at the same time which seems to me like an impossible scenario.

I misunderstood your original message, I thought you meant that there would be some new CI system hosted on downloads.php.net dedicated to verifying, not the current GHA CI system, which is configured on the public VCS.

If GHA is used for verifying builds, that would make more sense, but then users would be required to check the status of a github pipeline to validate that the tarball was not compromised (or alternatively clone from source and re-generate the build scripts manually, or simply trust the release manager, which brings us to square 1).


As noted above, = you would need to do much more involved verification if only generated sour= ce codes were removed. With GHA it would be just failed build and we could = integrate notification (e.g. to Foundation Slack) so more people could be e= asily aware if there is such problem.

Regards

Jakub
--0000000000007f043d0614e4df8f--