Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122863
Precedence: bulk
MIME-Version: 1.0
References: <AM8P250MB01705B564C0F9B2F460F56B0E2392@AM8P250MB0170.EURP250.PROD.OUTLOOK.COM>
 <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <CADyq6sLr=Zv0OmL55na0c6kGkaxvy9A8fJhptn71si8u7rzedQ@mail.gmail.com>
 <CAEKnhAGmDRMypM=fsWAroC6M6JcbwQRf7HYbb7n3GPNVQGvXjA@mail.gmail.com>
 <95c92b6a-6788-fddb-a130-e4d122338b68@php.net> <CAEKnhAG4AYy9wPzuVq3y_hqfjcWMDi8HtCkVQyL9Txoqogwz7A@mail.gmail.com>
In-Reply-To: <CAEKnhAG4AYy9wPzuVq3y_hqfjcWMDi8HtCkVQyL9Txoqogwz7A@mail.gmail.com>
Date: Tue, 2 Apr 2024 14:34:55 +0000
Message-ID: <CAO__Xv7=31W8FQgJ8xTokzA_qu0wo0bcVfOC7dKTMGGeOxmAhA@mail.gmail.com>
Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs
To: Jakub Zelenka <bukka@php.net>
Cc: Derick Rethans <derick@php.net>, Marco Pivetta <ocramius@gmail.com>, Ben Ramsey <ben@benramsey.com>, 
	Bob Weinand <bobwei9@hotmail.com>, Daniil Gentili <daniil.gentili@gmail.com>, 
	PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000002d3d5406151e03b8"
From: fenniclog@gmail.com (tag Knife)

--0000000000002d3d5406151e03b8
Content-Type: text/plain; charset="UTF-8"

On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka <bukka@php.net> wrote:

> We will still need RM to sign the build so ideally we should make it
> reproducible so RM can verify that CI produced expected build and then sign
> it and just upload the signatures (not sure if we actually need signature
> uploaded or if they are used just in announcements).
>
> I think this should then prevent compromise of the RM and CI unless CI is
> compromised by RM, of course, but that should be very unlikely.
>
> Regards
>
> Jakub
>
>
On the side of the CI being compromised, this does happen, typically with
authed
private hosted CI, like jenkins. But if its open and accessible to everyone
to monitor, such
as github actions, everyone can monitor and audit the build logs to verify
the commands
ran and nothing unexpected happened during build.

That is something PHP is missing atm, no one can verify the build process
for releases.

--0000000000002d3d5406151e03b8
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"g=
mail_attr">On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka &lt;<a href=3D"mailto=
:bukka@php.net">bukka@php.net</a>&gt; wrote:<br></div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><d=
iv>We will still need RM to sign the build so ideally we should make it rep=
roducible so RM can verify that CI produced expected build and then sign it=
 and just upload the signatures (not sure if we actually need signature upl=
oaded or if they are used just in announcements).</div><div><br></div><div>=
I think this should then prevent compromise of the RM and CI unless CI is c=
ompromised by RM, of course, but that should be very unlikely.<br></div><di=
v><br></div><div>Regards</div><div><br></div><div>Jakub<br><br></div></div>=
</div></blockquote><div><br></div><div></div><div>On the side of the CI bei=
ng compromised, this does happen, typically with authed=C2=A0</div><div>pri=
vate hosted CI, like jenkins. But if its open and accessible to everyone to=
 monitor, such</div><div>as github actions, everyone can monitor and audit =
the build logs to verify the commands</div><div>ran and nothing unexpected =
happened during build.</div><div><br></div><div>That is something PHP is mi=
ssing atm, no one can verify the build process for releases.<br></div></div=
></div>

--0000000000002d3d5406151e03b8--