Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122835 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id B71E91A009C for ; Sun, 31 Mar 2024 13:54:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1711893293; bh=WgkePKzuwYZgKabdZqe7FdwEZjjOLDV+0+QYI6WMxcM=; h=From:Subject:Date:References:To:In-Reply-To:From; b=dt2buGVRdF45X0R+Gu/ejal5Rq5oU2vfwFkr60oAKKCUCZqwmVbDawhUXi88nKWYy BPwNKS56oxVHudMzymBduXOoRaVVLZm3K8THX+g0KakPI95rN3hFkmd62YUlsSZe2R xVpolpKDrxx3sI6ctEcEZTjN49QlxBrUDnwiXh2oU9Bl+A3qmnggJZPIiPtftp44aD 9ZU9qs50M0GYqGFI7S+oXpM/yQUp3+pTT2vJl7SCjFUbrvXBYOBxBmOcCS4KbRwcDq 28ekOtsm0KhJRdV8JemM7k8hRdibn6o1hydDXl16n2FMvz4ab0SL1WRRyEURKEU1gg ZGzZJ6OSOmVFw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 83C9918006B for ; Sun, 31 Mar 2024 13:54:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail.gna.ch (mail.gna.ch [212.45.196.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 31 Mar 2024 13:54:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by darkcity.gna.ch (Postfix) with ESMTP id 219E23A0F3C for ; Sun, 31 Mar 2024 15:54:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=cschneid.com; s=default; t=1711893262; bh=WgkePKzuwYZgKabdZqe7FdwEZjjOLDV+0+QYI6WMxcM=; h=From:Subject:Date:References:To:In-Reply-To; b=G4nXGCLg/SA/mwaLqAF4yv6WEa8eFVpqZ39XcvKmnlHEggNVXhB618OhHPjARVY/o 7wFgEL3m4OtplW3cA9eIzdKFKhrbf8Z9oCig4zmFskzfvl5wl5+IIizcRV0p4u/h+U z3yexfq+mQpqIJqXwcQHiA5PTM9KyAHs41V+9O1Y= X-Virus-Scanned: amavisd-new at example.com Received: from mail.gna.ch ([127.0.0.1]) by localhost (darkcity.gna.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qfsWZcTN9Li for ; Sun, 31 Mar 2024 15:53:54 +0200 (CEST) Received: from smtpclient.apple (unknown [IPv6:2a02:1210:2ea4:cf00:f8db:3b45:799d:2892]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by darkcity.gna.ch (Postfix) with ESMTPSA id E324D3A0CFC for ; Sun, 31 Mar 2024 15:53:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=cschneid.com; s=default; t=1711893234; bh=WgkePKzuwYZgKabdZqe7FdwEZjjOLDV+0+QYI6WMxcM=; h=From:Subject:Date:References:To:In-Reply-To; b=gZYfaQ0wFJj4gibQcbbng2F335QJsrpqlj+lrK7STJFFQCtGxn8WheXINi14X1sLy P5W0DIE4Gpnh8ovQMSFMssBMouVu56V6AM2wPP9f5DbJ7BY732SNEGoPbVW03QvYNO Wel6u1S7MGGnxAlopDVoY+izF9ukINSiWd42HH6E= Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\)) Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs Date: Sun, 31 Mar 2024 15:53:54 +0200 References: <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <3d90e236-49d8-4f80-a6dd-3584267a83e3@php.net> <586c3320-b38b-47bb-9c06-6762f1eb242b@gmail.com> <1c7bcd0e-4e32-480f-acd2-2c8eb049bde2@gmail.com> To: php internals In-Reply-To: <1c7bcd0e-4e32-480f-acd2-2c8eb049bde2@gmail.com> Message-ID: <3E13B046-FE40-48D7-AAF0-13362B12C438@cschneid.com> X-Mailer: Apple Mail (2.3774.500.171.1.1) From: cschneid@cschneid.com (Christian Schneider) Am 30.03.2024 um 16:35 schrieb Daniil Gentili = : >> That would break lots of tools as it requires extra dependencies so = it is not something that would could in stable versions. > Btw, I do not believe that "it would require end users to install = autotools and bison in order to compile PHP from tarballs" is valid = reason to delay the patching of a serious attack vector ASAP. I agree with Jakub that removing configure would just shift the problem, = not solve it, while at the same time puts a new burden on people = compiling PHP from downloaded archives. But my main question is: I fail to see the difference whether I plant my = malicious code in configure, configure.ac or *.c: Someone has to review = the changes and notice the problem. And we have to trust the RMs. What = am I missing? Regards, - Chris