Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122866
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 7F6BF1A009C
	for <internals@lists.php.net>; Tue,  2 Apr 2024 14:41:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1712068896; bh=0DcxsOthYLvDgWI5SzhchOY20uvu2fJI8Mjtu3ryqds=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=QH7kKwvvNGIclzw/j+9AZyDBwUXTMEQytzkjCus7VLrWitZqZ8v52oDSpclCgbu7k
	 MQbZcTK05ct3vthLr+Ry692JqWKdw6Dn/r8kLrEimfp6qX+Xds2H2EFERHjI3zMBAu
	 g54zw/nHkW01EhKB/yxSLrJX2KwYiDBRIS+8lXbTUglehiAN1veMvVpYDqFc2xgNu5
	 nF7PbvxuaamYmpFzw3U63Fz/WcnL7ht2XNBHmgCK3rkVJqfBIuzTH7TtnOQdDTOTjk
	 bAzekHFcLRXQB++VqgFeqTGaBM3Q7bFlJfiAIKEafvaeiRbnNrXnoDpfhSDXS2L5kX
	 ALo9U8Qckr8dg==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 6321A180671
	for <internals@lists.php.net>; Tue,  2 Apr 2024 14:41:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_50,DMARC_MISSING,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <jakub.php@gmail.com>
Received: from mail-ej1-f48.google.com (mail-ej1-f48.google.com [209.85.218.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  2 Apr 2024 14:41:32 +0000 (UTC)
Received: by mail-ej1-f48.google.com with SMTP id a640c23a62f3a-a472f8c6a55so669984866b.0
        for <internals@lists.php.net>; Tue, 02 Apr 2024 07:41:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712068863; x=1712673663;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=0DcxsOthYLvDgWI5SzhchOY20uvu2fJI8Mjtu3ryqds=;
        b=UgE7qkqvmkf0T2RRlGYz0QL4wFtdLxSSxDOJuoQeo188uu6CJt5Cb5KD+CQIm01/AG
         QZVlDxVopLE8yQIew1Fc5/C17onQcu7+rbVm5QoyO+G8HHQG0E7Xet3U/9KzEg1wH3fb
         M5T7bDqHAmOMxMyfBFIIJz3j8eKyFyMLi+0eMk+896oTL2nrw0VbJDxPiLcZzLA6niGJ
         MfZDgCBWJlFnlZSTKhsgqEfAuLrnC2xnWkotC0SI9PcGTwPIAjcd0mx8hGnpDg4M2smQ
         s74ZcwQzGPUrml+vtVFSA+f22Tkfd9QMvx9gDLvlGzZRVs5wDCCkc89OUdZL5dCJTgPQ
         GP9Q==
X-Forwarded-Encrypted: i=1; AJvYcCWcpZYPoP3JDh0PWnlCQ4euD+XvtLQcuCJZg1rUEjBFt4oEyBmfwsDs3oQa/3v9+6L1WbS/UCLwqtZstbFQLFhYTxvluWAm+A==
X-Gm-Message-State: AOJu0YwbsvqQaNxRIcuvOE3J7/K35lUlBob/nq3fHpH+ULwAwWFSgfgi
	K/oSEObV1bHOzhCArYUgf/rfBZ1OVdaAIXk1v0vHJ+E05G+SRHmvgKrfN3fps6Eg50aj9Kk5mby
	Ae5QLkIlLtbkOp+t4Xl1q/SmioZ8=
X-Google-Smtp-Source: AGHT+IFXqXpu9PtFyVwNW2GxITVlxDz5Tf6MjeRykYPkOqz97wCmEn+G2ItnftSHG1XBroF+/FG15E0FLcwES0f0sn8=
X-Received: by 2002:a17:906:3883:b0:a47:4a32:604 with SMTP id
 q3-20020a170906388300b00a474a320604mr8009010ejd.26.1712068862614; Tue, 02 Apr
 2024 07:41:02 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
References: <AM8P250MB01705B564C0F9B2F460F56B0E2392@AM8P250MB0170.EURP250.PROD.OUTLOOK.COM>
 <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <CADyq6sLr=Zv0OmL55na0c6kGkaxvy9A8fJhptn71si8u7rzedQ@mail.gmail.com>
 <CAEKnhAGmDRMypM=fsWAroC6M6JcbwQRf7HYbb7n3GPNVQGvXjA@mail.gmail.com>
 <95c92b6a-6788-fddb-a130-e4d122338b68@php.net> <CAEKnhAG4AYy9wPzuVq3y_hqfjcWMDi8HtCkVQyL9Txoqogwz7A@mail.gmail.com>
 <CAO__Xv7=31W8FQgJ8xTokzA_qu0wo0bcVfOC7dKTMGGeOxmAhA@mail.gmail.com>
In-Reply-To: <CAO__Xv7=31W8FQgJ8xTokzA_qu0wo0bcVfOC7dKTMGGeOxmAhA@mail.gmail.com>
Date: Tue, 2 Apr 2024 14:40:51 +0000
Message-ID: <CAEKnhAEtuiQZ_7TpkwcONCeJ4=nOB-_UCHoJ+ojO1tGVNCmcWw@mail.gmail.com>
Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs
To: tag Knife <fenniclog@gmail.com>
Cc: Derick Rethans <derick@php.net>, Marco Pivetta <ocramius@gmail.com>, Ben Ramsey <ben@benramsey.com>, 
	Bob Weinand <bobwei9@hotmail.com>, Daniil Gentili <daniil.gentili@gmail.com>, 
	PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000006325db06151e189a"
From: bukka@php.net (Jakub Zelenka)

--0000000000006325db06151e189a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 2, 2024 at 3:35=E2=80=AFPM tag Knife <fenniclog@gmail.com> wrot=
e:

>
> On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka <bukka@php.net> wrote:
>
>> We will still need RM to sign the build so ideally we should make it
>> reproducible so RM can verify that CI produced expected build and then s=
ign
>> it and just upload the signatures (not sure if we actually need signatur=
e
>> uploaded or if they are used just in announcements).
>>
>> I think this should then prevent compromise of the RM and CI unless CI i=
s
>> compromised by RM, of course, but that should be very unlikely.
>>
>> Regards
>>
>> Jakub
>>
>>
> On the side of the CI being compromised, this does happen, typically with
> authed
> private hosted CI, like jenkins. But if its open and accessible to
> everyone to monitor, such
> as github actions, everyone can monitor and audit the build logs to verif=
y
> the commands
> ran and nothing unexpected happened during build.
>
> That is something PHP is missing atm, no one can verify the build process
> for releases.
>

Yes that's what I was suggesting. This should be done by RM. In that way,
the RM becomes more someone that verifies the build and not the actual
person that provides the build.

Regards

Jakub

--0000000000006325db06151e189a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Tue, Apr 2, 2024 at 3:35=E2=80=AFPM ta=
g Knife &lt;<a href=3D"mailto:fenniclog@gmail.com">fenniclog@gmail.com</a>&=
gt; wrote:<br></div><div class=3D"gmail_quote"><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex"><div dir=3D"ltr"><br><div class=3D"gmail_quote"><div =
dir=3D"ltr" class=3D"gmail_attr">On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka=
 &lt;<a href=3D"mailto:bukka@php.net" target=3D"_blank">bukka@php.net</a>&g=
t; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0p=
x 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div d=
ir=3D"ltr"><div class=3D"gmail_quote"><div>We will still need RM to sign th=
e build so ideally we should make it reproducible so RM can verify that CI =
produced expected build and then sign it and just upload the signatures (no=
t sure if we actually need signature uploaded or if they are used just in a=
nnouncements).</div><div><br></div><div>I think this should then prevent co=
mpromise of the RM and CI unless CI is compromised by RM, of course, but th=
at should be very unlikely.<br></div><div><br></div><div>Regards</div><div>=
<br></div><div>Jakub<br><br></div></div></div></blockquote><div><br></div><=
div></div><div>On the side of the CI being compromised, this does happen, t=
ypically with authed=C2=A0</div><div>private hosted CI, like jenkins. But i=
f its open and accessible to everyone to monitor, such</div><div>as github =
actions, everyone can monitor and audit the build logs to verify the comman=
ds</div><div>ran and nothing unexpected happened during build.</div><div><b=
r></div><div>That is something PHP is missing atm, no one can verify the bu=
ild process for releases.<br></div></div></div></blockquote><div><br></div>=
<div>Yes that&#39;s what I was suggesting. This should be done by RM. In th=
at way, the RM becomes more someone that verifies the build and not the act=
ual person that provides the build.</div><div><br></div><div>Regards</div><=
div><br></div><div>Jakub</div><div><br></div><div><br></div></div></div>

--0000000000006325db06151e189a--