Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122863
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
by qa.php.net (Postfix) with ESMTPS id 8C4861A009C
for <internals@lists.php.net>; Tue, 2 Apr 2024 14:35:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
t=1712068540; bh=S7wOAkuUoonG6E+6eC2WTU8IcrgVom1uU8O1KzHnHjo=;
h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
b=G63B06iK/TwDxwARlP8ThC772r2On9bdX6n0NG5oAuDeUBKlR88/D0Htq0Y29A2FH
kkR8wf+3q+m54sNEN8MsA9TaYgLBXXvXAWGUJadpR2qnmDB4My+q1ZYrdo7KmDCaK8
c4qVMWdXHq0n70HC04zTaRwX3m8TzuOVtjA9TKtpDZi0Bat1GkfnEek80KJwTbGm9G
CLwai/BqcD+OY8s4KzaH+dKuV5i+dHBc1xKaMGrU2+zghkYKgIxeK8pzke0TF6+jDC
d/fZbc69pgeoqcd1bVFfilhU9xL80/ib9+cnxYhMDrAOCYq6QNKeSwLc1a4FCXuM7a
Z0mqn3BzNaCMw==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
by php-smtp4.php.net (Postfix) with ESMTP id A1B4518006E
for <internals@lists.php.net>; Tue, 2 Apr 2024 14:35:39 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level:
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <fenniclog@gmail.com>
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by php-smtp4.php.net (Postfix) with ESMTPS
for <internals@lists.php.net>; Tue, 2 Apr 2024 14:35:36 +0000 (UTC)
Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-2a20a9df742so3436836a91.1
for <internals@lists.php.net>; Tue, 02 Apr 2024 07:35:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1712068507; x=1712673307; darn=lists.php.net;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=S7wOAkuUoonG6E+6eC2WTU8IcrgVom1uU8O1KzHnHjo=;
b=VbcJNvksxNBnBt5wvNHpi16cHpmSXw5cd3UmPJ0eTuNv8mAEP5kAHv/ryRPqyq0jug
wppXsRpdSnksKK/wMy4DQNRnMO1pYEI5DVf61CUm3dkd+NiXGL5qaKn+gUEArHo5OQqo
JHRgZ8dxnNzYVr/tL4NQbbVx60jbaZwW53NRcq9/2uIOLfJ/w5dM5lTYP3ZyF5gluhWf
MULsBMXXPrCjLuye9RgAxRdFV3QVAxd3H16YkIFlRi5kJepNYTnXATupzmZLwAfK1Mh7
vrKtC2VNUAxjC6IQ9/05hxbNUmecubp4+0LuLK/TV1OLheouCCS2PxyFDC6SfP2Lr+YM
ZSXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1712068507; x=1712673307;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=S7wOAkuUoonG6E+6eC2WTU8IcrgVom1uU8O1KzHnHjo=;
b=kIxiZNJSfhw6xRMrH/24q3VqhxMRLY5ryr6QdnCWY0a1DXIRaonJtXfyku8+nrPcWX
6jVv180R5vmjCGACxZu+0VscvA50rx2zs6aZxYMS45MpfVui44zDX+tGGWwX9xiSL1Ua
23VFQineazjj3/1udhWN9YytHn6plG2P/UbxbEu2iJyApkOuty2RPJx6ERZG30WK6qIw
dbgS0mL1++wr+8D+ucBUpRHpmvgZbcaOfsrMGc3qItdMFtnMvTFnUhS6UMwdT0nk4RG0
wP5r7L8dI4/De35wQnL6+ggxtJTJMdawKgSseoWNoIkdctGHh2fx00WMaVoYK/IFZDBw
+GFQ==
X-Forwarded-Encrypted: i=1; AJvYcCXG/V6FPwodWC5xmYeHQDM0IH9nO1+p6RUxSMBaQBpG6ZMBMnQz7EXmzT11I8dynTrGRI1BP6pPUr6wmfZDIdEUDyJHmsxHlg==
X-Gm-Message-State: AOJu0Ywi/Vgj8UKYDTKT6vgePlotRGccKWYMCoLvDk9oUng3yDqneHTc
7w0RZXlzcI0gunIz/2yfH+KgThxYa6jzYnBZ1REk7oJHlWWAQnxbLhCM7sixtiOMhfmcXaV0y7p
3C2J69QaYj35Ch7/uLWKxlMd3aDY=
X-Google-Smtp-Source: AGHT+IGBEtL58Bl4XIidWVsYZBnC6U1HvQU805ZgeIVdyAIzky1KzqoqdHWC2ohvAg+8HAJUBD3OpDjh+QHy+2lqkD8=
X-Received: by 2002:a17:90a:e691:b0:29c:7544:54df with SMTP id
s17-20020a17090ae69100b0029c754454dfmr10757639pjy.23.1712068506758; Tue, 02
Apr 2024 07:35:06 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
References: <AM8P250MB01705B564C0F9B2F460F56B0E2392@AM8P250MB0170.EURP250.PROD.OUTLOOK.COM>
<9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <CADyq6sLr=Zv0OmL55na0c6kGkaxvy9A8fJhptn71si8u7rzedQ@mail.gmail.com>
<CAEKnhAGmDRMypM=fsWAroC6M6JcbwQRf7HYbb7n3GPNVQGvXjA@mail.gmail.com>
<95c92b6a-6788-fddb-a130-e4d122338b68@php.net> <CAEKnhAG4AYy9wPzuVq3y_hqfjcWMDi8HtCkVQyL9Txoqogwz7A@mail.gmail.com>
In-Reply-To: <CAEKnhAG4AYy9wPzuVq3y_hqfjcWMDi8HtCkVQyL9Txoqogwz7A@mail.gmail.com>
Date: Tue, 2 Apr 2024 14:34:55 +0000
Message-ID: <CAO__Xv7=31W8FQgJ8xTokzA_qu0wo0bcVfOC7dKTMGGeOxmAhA@mail.gmail.com>
Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs
To: Jakub Zelenka <bukka@php.net>
Cc: Derick Rethans <derick@php.net>, Marco Pivetta <ocramius@gmail.com>, Ben Ramsey <ben@benramsey.com>,
Bob Weinand <bobwei9@hotmail.com>, Daniil Gentili <daniil.gentili@gmail.com>,
PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000002d3d5406151e03b8"
From: fenniclog@gmail.com (tag Knife)
--0000000000002d3d5406151e03b8
Content-Type: text/plain; charset="UTF-8"
On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka <bukka@php.net> wrote:
> We will still need RM to sign the build so ideally we should make it
> reproducible so RM can verify that CI produced expected build and then sign
> it and just upload the signatures (not sure if we actually need signature
> uploaded or if they are used just in announcements).
>
> I think this should then prevent compromise of the RM and CI unless CI is
> compromised by RM, of course, but that should be very unlikely.
>
> Regards
>
> Jakub
>
>
On the side of the CI being compromised, this does happen, typically with
authed
private hosted CI, like jenkins. But if its open and accessible to everyone
to monitor, such
as github actions, everyone can monitor and audit the build logs to verify
the commands
ran and nothing unexpected happened during build.
That is something PHP is missing atm, no one can verify the build process
for releases.
--0000000000002d3d5406151e03b8
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"g=
mail_attr">On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka <<a href=3D"mailto=
:bukka@php.net">bukka@php.net</a>> wrote:<br></div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><d=
iv>We will still need RM to sign the build so ideally we should make it rep=
roducible so RM can verify that CI produced expected build and then sign it=
and just upload the signatures (not sure if we actually need signature upl=
oaded or if they are used just in announcements).</div><div><br></div><div>=
I think this should then prevent compromise of the RM and CI unless CI is c=
ompromised by RM, of course, but that should be very unlikely.<br></div><di=
v><br></div><div>Regards</div><div><br></div><div>Jakub<br><br></div></div>=
</div></blockquote><div><br></div><div></div><div>On the side of the CI bei=
ng compromised, this does happen, typically with authed=C2=A0</div><div>pri=
vate hosted CI, like jenkins. But if its open and accessible to everyone to=
monitor, such</div><div>as github actions, everyone can monitor and audit =
the build logs to verify the commands</div><div>ran and nothing unexpected =
happened during build.</div><div><br></div><div>That is something PHP is mi=
ssing atm, no one can verify the build process for releases.<br></div></div=
></div>
--0000000000002d3d5406151e03b8--