Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122841 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id E68871A009C for ; Sun, 31 Mar 2024 23:53:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1711929215; bh=/aWiDMpNvAMXHRUDGGnM6+RQOoemETsAVkEBUtemY38=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=crEdXag5Xr/Gr9RUHrVCDLIBWfFYQ2ubls/0GDuDcnzBMLUzeF2jp+rxou5V4T6tQ HAzZjuk/K1gV5tLgIKMaFXODv/VURND4qLDiQBqdw+Ehyn3DIhxnZpWspwj9CZZ1k7 QiaclHBhHxLpXVubbGRKYxXSaedgPQKfoSRwQNJd3bvXsbZZDp70HLHnEgUMh9iP18 4j2eqycTL7NK148nZaUNlAx5esMJdQ2iGmeG+w4eSpt5xj9nXZ0ME3mR06SMAFU8bT SN1xdEZjsbbmrw2BvxpvwvSb+jYqRegSOs2upMpg02Edo2tOGWJUNy+rSZgT7k5LC4 rtLI1x+085IFg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 12A401801EF for ; Sun, 31 Mar 2024 23:53:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 31 Mar 2024 23:53:33 +0000 (UTC) Received: by mail-yb1-f181.google.com with SMTP id 3f1490d57ef6-dcc4de7d901so2698842276.0 for ; Sun, 31 Mar 2024 16:53:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=benramsey.com; s=google; t=1711929185; x=1712533985; darn=lists.php.net; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wPpmyHsvi05Rx/GC67l3XlCwdeCBfm0vhuRFKHjX1E4=; b=UGbVaZUS5yv+8QldNJKSle1W6BdMlqIDHlXdgGhcnjR6LkQ/ixF7KiPm3v/xWMzUrA 70jSM4Yz+dwUmD1TAjRIQ43DFIuwqPE+AgIDAYQNZgsjhJyg6FAjudaF4/GqjVy5k/ld Lu/8K9PJDxeKnc/M4dMlqzHsF1rJ9gM+MLx/GcNAjAzC+83DspWj5cHTSzpnOOytcdLk 64YKWHK4FumJ7eArXMFCIZ3IJ+4u6/ftaurEFjcO8yrhz8HVoZbtcyueIJllIR+NXHij /VJANDCnxyhJHg+fQ8h1uTd4GIKcUbfb0y6CnBMqoPkm6ECcisE1b3joKwP7MoWaBFTY 88gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711929185; x=1712533985; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wPpmyHsvi05Rx/GC67l3XlCwdeCBfm0vhuRFKHjX1E4=; b=SpTQWllLEmuqrmeOxoIL2CGDOvIar7EmGxQceYqE5SJ82YqkAzL4NkR0k7+UEw72TY LawrlbXzTlsRdu4NJqT8uD0LWvgSr42dLLYbtCVvqixXoBBRNdwcQgyPSwaH6ezKOkkU rALr+ZUrD+5HNlW4EX82pKJ/58/cWTyGG0VsO5P/kdV/fNf9yfHohFhYkFFe4UyVVX9c wqtdoFuF0IsZxBKchUyF3hg7JipcOQ0OQkYAya6BFVPTCe+54KXa4ZTn5UrZ+k8ZU3yG dkxrvSsB+EYZm0bnhNnkUm9ZGHijqosAdd0VAOvExbIZxlABazFxI3qsjt04Qqq1lsoU fbwQ== X-Forwarded-Encrypted: i=1; AJvYcCX4T66NmnBfA476KHcRHl2LoXZ7mQ+cisfknMiROJxnN+tWEMpIa0pgC/2EIqP/FaXgb7Qd1xbljS2I51oKErJlGQn02VjF2A== X-Gm-Message-State: AOJu0YzraK7uIw9LP1Hn5Xar3DtcAS9S5wNkPLYTIHAtVW/jMBQueQkp NI52wowG3sYKjB56Kn8QEtev+zn5PpsBvGA9VIcufK2ZIzeBlzNIj0zAU4guGz4PRG0JsCbMJnX XoQ== X-Google-Smtp-Source: AGHT+IGZm0/ED1MKgJ4pj/JZzdGBq02ZUAIXh4olbSdC0b00m35HvzWjSTNJsa1+0vn/6FZyRMbxKQ== X-Received: by 2002:a25:9347:0:b0:dc7:4806:4fb with SMTP id g7-20020a259347000000b00dc7480604fbmr6566887ybo.8.1711929185318; Sun, 31 Mar 2024 16:53:05 -0700 (PDT) Received: from smtpclient.apple (h96-61-170-179.lvrgtn.broadband.dynamic.tds.net. [96.61.170.179]) by smtp.gmail.com with ESMTPSA id a11-20020a25870b000000b00dc7622402b9sm1735809ybl.43.2024.03.31.16.53.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 31 Mar 2024 16:53:04 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_841D2EA9-9F10-4C41-8FA8-0F25010055E4"; protocol="application/pgp-signature"; micalg=pgp-sha256 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\)) Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs In-Reply-To: Date: Sun, 31 Mar 2024 18:52:53 -0500 Cc: Christian Schneider , php internals Message-ID: <8AD52323-A273-40FE-90FD-8A7AE55535AE@benramsey.com> References: <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <3d90e236-49d8-4f80-a6dd-3584267a83e3@php.net> <586c3320-b38b-47bb-9c06-6762f1eb242b@gmail.com> <1c7bcd0e-4e32-480f-acd2-2c8eb049bde2@gmail.com> <3E13B046-FE40-48D7-AAF0-13362B12C438@cschneid.com> To: Robert Landers X-Mailer: Apple Mail (2.3774.500.171.1.1) From: ben@benramsey.com (Ben Ramsey) --Apple-Mail=_841D2EA9-9F10-4C41-8FA8-0F25010055E4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Mar 31, 2024, at 11:08, Robert Landers = wrote: >=20 > There are probably multiple parties that require trust: the people > hosting the CI servers, the people with access to the CI servers, the > RM, and maybe more that I can't think of right now. >=20 > One option would be to have >=20 > - CI push the code + generated files to a git-branch `php-8.3-built` > (or something) so that changes can be reviewed, along with the > tarball. > - CI signs the commit and tarball. > - RM checks out commit and, also signs the tarball, then does a git > commit --amend --signoff and "blesses" the commit > - RM releases tarball When I was considering this and created a PR that followed these steps, = I discussed the process with folks from other open source communities, = notably the Apache Software Foundation community, since some of their = projects follow similar processes. The notion of automating the build = and signing it on a remote machine, only to be inspected and signed = again on the release manager=E2=80=99s machine was outright rejected by = everyone. The machine where it is signed by the RM should be the machine = where it is built, according to everyone I spoke with. As it stands right now, if we build the tarball on a remote machine (in = CI), and then the RM wants to compare it and build it locally, the = hashes on those tarballs will be different because we can=E2=80=99t = guarantee reproducible builds. If we could guarantee reproducible = builds, then maybe this process could work, but it would still require = the RM to build it locally from the source tag in order to trust and = verify that nothing sneaked in on the CI machine. Cheers, Ben --Apple-Mail=_841D2EA9-9F10-4C41-8FA8-0F25010055E4 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQToXQMR3fpbrPOmEOewLZeYnIwHGwUCZgn3VQAKCRCwLZeYnIwH G4x0AP9aVtdgte/AeO+kYVzXYx7zD4C+/x2HMo8gJNR70pPocQD/T/2vM403GNcj NqvqcmijAOAtiOr1B8qtAmmBCCHjdwY= =Gz61 -----END PGP SIGNATURE----- --Apple-Mail=_841D2EA9-9F10-4C41-8FA8-0F25010055E4--