Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122837 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id E97C91A009C for ; Sun, 31 Mar 2024 16:08:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1711901323; bh=oRflAJMKUKwSZl1aPqavC5hrKH433U4vK2nY50Qb/JA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=BMrtGqN6L5isoimVg6v1ak7Tp6Jxg9yp6XFUJKTzHzK1byc6yfXi8Od136twf/wOv +ajbWs9DT1j7EhlxjCV5JCBYNgQ9ONhZUBlwYZywXFx+dHEfHrCv+Dj4D73n+n7nEk JKgsKMwgeKdMblpfkHrs4DeGxkSyezGaxHhO1kY5beEaFoNKkgJkcSrKLpZQ+fRK16 ag1IA5CvKXGlu1Y3Y+Yiw9Fw2j85mCFueI6t8Si38nJ/dKVsSobClwIr6y7vR1qmGO o7rO/UyKVKOxJ/RQMP0Rmu9/n4A90X3Pp444XNUG+i9UatoLctzPifYi8NBgOqvtNY P61ypGp0oPbbw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 91333180689 for ; Sun, 31 Mar 2024 16:08:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-oi1-f175.google.com (mail-oi1-f175.google.com [209.85.167.175]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 31 Mar 2024 16:08:42 +0000 (UTC) Received: by mail-oi1-f175.google.com with SMTP id 5614622812f47-3c38396c965so2757767b6e.1 for ; Sun, 31 Mar 2024 09:08:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711901294; x=1712506094; darn=lists.php.net; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=oRflAJMKUKwSZl1aPqavC5hrKH433U4vK2nY50Qb/JA=; b=dwUuEuAEFjUKvI2lyB69UTAmi5yQktsnuNpRFD8iKjaNLsbmzmuCjnwbEgtgU1m1lr 6AkbItH5HQQfzLzKNlYV434JETMeg3ACJ3d8v5EoSeRhRePbvgu2h0i15mfbyJagq638 w24pE6MblICSwvicoJRUUe6dUHTh+jHvvNhHrSOsXDVz/SCuMdYo/oZ98w4OmKzVCxPR CLp2jkr5D2KNpRwmeI8IjPctv9ltrg+xXVdYbUZES5QcgIq7eBAZ1nj5Pe8Vv4HQ2ERz 2GxHxd6QD2ixZqAw8XAiK7BOyvumPgsTXTGWoXpmXCcLh2T5/rkEsp160qqUfYVZFAe0 M91w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711901294; x=1712506094; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oRflAJMKUKwSZl1aPqavC5hrKH433U4vK2nY50Qb/JA=; b=dBbbJNLraYnq6McZHVqt30d7IQ2wWb7LNtKaPkRTfosFR3Q2bhlhFHDMoNreV+JyJP RviIj+23jKugidiZxxt8EYsTbTQ6INsFy/vRzzTi9bo/jKTxxul6g12pWPmHA2EF+pYd E1PiW7QpFXfSex93y4bl2hAyYzRd4foDRAT99+H/TxIp7fm93EiCCtqheGqxJ7JLLWwa ElFzQPi6KT4Fph0W6VXOc81SHaasQ2HuhIdzkbUqc74R4ModoIo7e0oySE3cra8mB5J+ sN3a/PxPdyfeAqwKLcHrVfDadtEBOMURyRgGTlN+y4MYdz9Z4nmk6s8PQo2hKd/hAfCj m7rA== X-Gm-Message-State: AOJu0YwX9JTwpCS5spH1AVNjDU7Ota5QIaWKsMc5ZdxjHfEGBAn7W9XE ueXPTkMwdan3Z6AXbaewSjZnce+yhxEMMA9Im0MbT0r9DUDY8HHawj876yohXuFZNsiL/AcTtk0 w5vT1egGDTW2n1h6qxjf/J00tZV4= X-Google-Smtp-Source: AGHT+IH1eKF7WKajcQENLhEBjAgZf/1epiO+yDGVz44iwt6vkp0sEP63me0TIjM79Tm16+eEqJeTuVFPf6a79sRwPrc= X-Received: by 2002:a05:6808:190d:b0:3c3:d311:5352 with SMTP id bf13-20020a056808190d00b003c3d3115352mr2838188oib.12.1711901294141; Sun, 31 Mar 2024 09:08:14 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 References: <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <3d90e236-49d8-4f80-a6dd-3584267a83e3@php.net> <586c3320-b38b-47bb-9c06-6762f1eb242b@gmail.com> <1c7bcd0e-4e32-480f-acd2-2c8eb049bde2@gmail.com> <3E13B046-FE40-48D7-AAF0-13362B12C438@cschneid.com> In-Reply-To: <3E13B046-FE40-48D7-AAF0-13362B12C438@cschneid.com> Date: Sun, 31 Mar 2024 18:08:00 +0200 Message-ID: Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs To: Christian Schneider Cc: php internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable From: landers.robert@gmail.com (Robert Landers) On Sun, Mar 31, 2024 at 5:26=E2=80=AFPM Christian Schneider wrote: > > Am 30.03.2024 um 16:35 schrieb Daniil Gentili : > >> That would break lots of tools as it requires extra dependencies so it= is not something that would could in stable versions. > > Btw, I do not believe that "it would require end users to install autot= ools and bison in order to compile PHP from tarballs" is valid reason to de= lay the patching of a serious attack vector ASAP. > > I agree with Jakub that removing configure would just shift the problem, = not solve it, while at the same time puts a new burden on people compiling = PHP from downloaded archives. > > But my main question is: I fail to see the difference whether I plant my = malicious code in configure, configure.ac or *.c: Someone has to review the= changes and notice the problem. And we have to trust the RMs. What am I mi= ssing? > > Regards, > - Chris There are probably multiple parties that require trust: the people hosting the CI servers, the people with access to the CI servers, the RM, and maybe more that I can't think of right now. One option would be to have - CI push the code + generated files to a git-branch `php-8.3-built` (or something) so that changes can be reviewed, along with the tarball. - CI signs the commit and tarball. - RM checks out commit and, also signs the tarball, then does a git commit --amend --signoff and "blesses" the commit - RM releases tarball