Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122842
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 3C8D31A009C
	for <internals@lists.php.net>; Mon,  1 Apr 2024 08:01:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1711958514; bh=HnaiZXNsa7RyzikCc1VE6bTtXZJzREqmeChLv5v1siM=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=MuNSSvkXp1eG98vIJuk5KPtrP6r+pkfpihufdSO68RoS7ojBETFVeasNwVNRtvDKQ
	 MivurC94v77+eJ6OvM55vx5CdrbkrraqUn5D05063yA6jJd2eRDuNv2QGkYeijbxtj
	 LkI9MCxTWZonhSvDpl+ZuPDF2rzR/Kid6mU9bOOM67VhJ1YvCSeaSbdGXq6SBXofdO
	 uXgBevTnLa4FeFL30zA8aKf+FxyCBB2W4KrkVnxb9+tgUh7ByuZoeJSIHMwfVO6LG0
	 tYLAw0/nGcdAjJgorigtqkUwTuv7e0bawrFjowh0p3JdSPBLAdoRgucY4Yh+7ZiHEp
	 4Q419VjCDx9cg==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id AEA3E180044
	for <internals@lists.php.net>; Mon,  1 Apr 2024 08:01:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <landers.robert@gmail.com>
Received: from mail-oo1-f41.google.com (mail-oo1-f41.google.com [209.85.161.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  1 Apr 2024 08:01:53 +0000 (UTC)
Received: by mail-oo1-f41.google.com with SMTP id 006d021491bc7-5a1b6800ba8so1464549eaf.0
        for <internals@lists.php.net>; Mon, 01 Apr 2024 01:01:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1711958485; x=1712563285; darn=lists.php.net;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=HnaiZXNsa7RyzikCc1VE6bTtXZJzREqmeChLv5v1siM=;
        b=YV/lXOSAWa0RLcqiBYfF8tjUHTmpBun7dnLwVDyFAOWG/oHyT8UCb41N8ZyQez2jY1
         vL4t8olhe4kW/pyvM+GuTQdHxvj/KMUoOpea9w4Lilz7LYNZJLvQTrZySvjZF6a/Isln
         vYUKBciZLB26k1Zeolm4bjD368tfuL1bsFRPofBonw5m5z3M0tl5KYbSmuhU+hl8SGF+
         paODO8XtYGPnB47njiCRy+URBEG0SFJnXLOrj2oq7MMk/gqoStscqZ+vFGlfhWdXZMCb
         Q2++UDUscOW8wUC2p68GxI1Fvp8Hnr/VENKWZq+rEH6fM2o5dJhLhIwWDDYlnUHJIpeM
         A6aQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711958485; x=1712563285;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=HnaiZXNsa7RyzikCc1VE6bTtXZJzREqmeChLv5v1siM=;
        b=PhNMbebVnL3oRLvOLi40rOFY6nrRfZc4tDfPxKPbjdEzrk6C4BMEJtuR7Sxj7fTuMI
         xF7LxEQfsVg9+0tmjVCtLh0boZsiWTy1Ma2DDVzkD4zZir4jevSTtcS7EmT8gz85+fxD
         mScwSnCB4a30wrwkn2Mhzdt+NQbC9Md0gGkSxl6UFds9b5IiQThz23s0o0AScn9Bkgnh
         NbdOrIm9ETJoO6BwdEGp0IWGCUeevcW22KFhDGS22s5m31QxFyvwnp/XvO3fPKLs2onb
         QsA6u+HZiQUIW2mgyi+p9XztkW1GNkSq8HlU+xKd2GjTBwczqEQcRyvQiSW7Cz9v7zn1
         4S3w==
X-Forwarded-Encrypted: i=1; AJvYcCUtvgM1pKvhGu8jv1QNDqsd5DNNffy2pUJmcLIGf+PFoyB5C/Zdf2moak20apIHOv4bF5tHhqaXtSrN0/z/S4sT7JXfmN1Vwg==
X-Gm-Message-State: AOJu0YzIgI76NWoSxWdfzmtn5kD+G/NKaLovaUJfUPC+3a/i33hAgh/4
	50iq/t4L04fI2isGMen3Um0mI/TLKnp8v1DNiUX0zoZ8JTNHkSr80yIbvN8HseHVI3Vo56tMHtJ
	Lst9J0oOVel4sWsXZKygOyzI31F1DdNBo
X-Google-Smtp-Source: AGHT+IEMnAhloIFuhEu4elgxKzvtMWNXKL07fZ7za4e/kgmNA9TyAJ6U1Tfg5veYYS2BpfUKMCWkEB0h4HWWKDysJMk=
X-Received: by 2002:a05:6820:99b:b0:5a5:8b0a:60cb with SMTP id
 cg27-20020a056820099b00b005a58b0a60cbmr8216103oob.1.1711958484935; Mon, 01
 Apr 2024 01:01:24 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
References: <AM8P250MB01705B564C0F9B2F460F56B0E2392@AM8P250MB0170.EURP250.PROD.OUTLOOK.COM>
 <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <3d90e236-49d8-4f80-a6dd-3584267a83e3@php.net>
 <586c3320-b38b-47bb-9c06-6762f1eb242b@gmail.com> <cc1e1415-a4cd-4bb2-99f0-e5b05ef6582c@gmail.com>
 <CAEKnhAEMAmgoFmgCPOnV_0sxpaB5SNwRo-qFcE_YeLSduq+bHg@mail.gmail.com>
 <1c7bcd0e-4e32-480f-acd2-2c8eb049bde2@gmail.com> <3E13B046-FE40-48D7-AAF0-13362B12C438@cschneid.com>
 <CAPzBOBNxnvbTZDTj1WRp_sduKFQB+mbcz2RfAvpO1DEciaYY4g@mail.gmail.com> <8AD52323-A273-40FE-90FD-8A7AE55535AE@benramsey.com>
In-Reply-To: <8AD52323-A273-40FE-90FD-8A7AE55535AE@benramsey.com>
Date: Mon, 1 Apr 2024 10:01:10 +0200
Message-ID: <CAPzBOBN=wM7wqhbm3JPXQ3V3XgnT1dRdruLvcgoqJwObrpxTUw@mail.gmail.com>
Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs
To: Ben Ramsey <ben@benramsey.com>
Cc: Christian Schneider <cschneid@cschneid.com>, php internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
From: landers.robert@gmail.com (Robert Landers)

On Mon, Apr 1, 2024 at 1:53=E2=80=AFAM Ben Ramsey <ben@benramsey.com> wrote=
:
>
> > On Mar 31, 2024, at 11:08, Robert Landers <landers.robert@gmail.com> wr=
ote:
> >
> > There are probably multiple parties that require trust: the people
> > hosting the CI servers, the people with access to the CI servers, the
> > RM, and maybe more that I can't think of right now.
> >
> > One option would be to have
> >
> > - CI push the code + generated files to a git-branch `php-8.3-built`
> > (or something) so that changes can be reviewed, along with the
> > tarball.
> > - CI signs the commit and tarball.
> > - RM checks out commit and, also signs the tarball, then does a git
> > commit --amend --signoff and "blesses" the commit
> > - RM releases tarball
>
>
> When I was considering this and created a PR that followed these steps, I=
 discussed the process with folks from other open source communities, notab=
ly the Apache Software Foundation community, since some of their projects f=
ollow similar processes. The notion of automating the build and signing it =
on a remote machine, only to be inspected and signed again on the release m=
anager=E2=80=99s machine was outright rejected by everyone. The machine whe=
re it is signed by the RM should be the machine where it is built, accordin=
g to everyone I spoke with.
>
> As it stands right now, if we build the tarball on a remote machine (in C=
I), and then the RM wants to compare it and build it locally, the hashes on=
 those tarballs will be different because we can=E2=80=99t guarantee reprod=
ucible builds. If we could guarantee reproducible builds, then maybe this p=
rocess could work, but it would still require the RM to build it locally fr=
om the source tag in order to trust and verify that nothing sneaked in on t=
he CI machine.
>
> Cheers,
> Ben
>

I think the big point is to store the generated files in git for CI
builds. To verify the tarball is that commit, checkout the branch and
untar the file, there should be no changes, git clean should result in
no removed files, etc. This would make injecting malicious code
visible, at the very least. Whether someone catches it and actually
reviews the generated files is a different question. But if we wanted
something that is better than nothing... it's a pretty simple
solution.

Reproducible builds is an orthogonal but related problem.