Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122869
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 38CE71ADA81
	for <internals@lists.php.net>; Tue,  2 Apr 2024 14:48:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1712069308; bh=46WAqgIpXm5zFOzJZuVsiZX/JxC7sCTnrfUq+iIHI+Q=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=bHWxnoEW92W1Ht7ma2o1H0hAMSOfT95Wt1AX3WAOw1LWm+mjJM1UW/C8l0cyZGMKI
	 oVmEIoQK/yCYfgD2eymRc9HNfoYR5nE5HXTUc/m4wEJ2FRQGL4B7k9kQbkN4z4oJCm
	 15R2dFfLFSDenf3YMVyt7Ve1QYk/c1Lu34D15FYZ1QXoQbNEbDe4wERcd/zxEufd+j
	 0mgp/4SV5n/2zLqFAnCqhiaZSSWaxrL20VlaMu9mMVe4mxM9JrmWedy6PAbcV8+9gx
	 hoEcHx5zq7Qgg6P4ALhHVpMmVxp2WZ1RwbBCI6sMFmIJaXejkE3fj+y1a6hDgZXvM9
	 M4BTUGKscyYog==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C1C9E1807EE
	for <internals@lists.php.net>; Tue,  2 Apr 2024 14:48:25 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <olleharstedt@gmail.com>
Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  2 Apr 2024 14:48:23 +0000 (UTC)
Received: by mail-ed1-f47.google.com with SMTP id 4fb4d7f45d1cf-56dfb52d10cso128954a12.2
        for <internals@lists.php.net>; Tue, 02 Apr 2024 07:47:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1712069274; x=1712674074; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=pzu3TNBRA6xi2BO0jwPEyeFfauV4Ap6NRqMJs7dc1uc=;
        b=RC2sQwdUsGgsuhkaXnyrNm/IxEmfAZb2NmT+XuCzHGZhlMNHmTcwJbvcMqmfsdEIml
         iqdIi/KWn3Qq/wloSSzwE+QrMVvzHz9Stl3VbkpneTxJkzqW4i5Ch0bqpqGjeJMKeUPE
         muOz+ftxCgJ3NNf4JKWWH462PQGUesziNMz00rJnNKo6KOtiX983g/61goSslIMMK2qL
         SkCexNivPO0YmTGBQR7bMvws+M9al35KtV8rMWMaCKIgaEFrAd2IFH/mlV88929sGJ/w
         BO2Ial4meZl/UU2lDxTq2aCUSxy9yu5ybr0gPzE0rsl7bhfsszvkADYBtZwwGgq31FJa
         swWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712069274; x=1712674074;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=pzu3TNBRA6xi2BO0jwPEyeFfauV4Ap6NRqMJs7dc1uc=;
        b=DSBVGjOgdcg2I1830ayl0+PDAyiUbbSSQCPjrQoUmw24ccK8ufHts7zNZLdGrkB7Ly
         +3Sd5j2LWalZK30wLD+Pa7tjK/fpNeNLcSpKZvbkP21WGvQXFC6osEYN+XqKrmnvejmR
         MJ9JLwPg/oh7yrKCb0T5t8FrJpxeuyIqa9FwEcX2kwfzIdMCkCzAiaXQno9iUK0k6QOo
         MfUiVHUi69R+jtemoyCBLG2yd5aqzt8z4G8BfYYINNuh+/ABKbgnL09wllr9iSsMGh75
         DP3Ate0ceGLgoAzH0NJ3tt855lwIz64nF87WfcUHKwOzCw0PrOWiE2r9tRuIn0PiEvJG
         LuUQ==
X-Forwarded-Encrypted: i=1; AJvYcCWjysgBYHEI9HsWoRnXEFiZgn6qt5bCFMpMq4EB7t1dAkyiTeU+kXKfR+eYQaj+FkJ+q1tNYadGn7CBWzT74bu10WMxcjahUA==
X-Gm-Message-State: AOJu0YwrHg4Cy18tBpP+hqCcwHdzZ18NcjKv5LAozyo1Po2dTaeS1Fii
	QYKL3zBahRmrmbtTMiuA4akKZ/d+cFNbyCURSgXvFPpvwyiZJgGDiCFFwhkbPL2oZ9j67SV2DOL
	S+CzOK246J3u23x13XRwLb6hPrbA=
X-Google-Smtp-Source: AGHT+IG1SMhVrZZyeLVz4G2XIx0UDDfwXXMVxzn4bJR3YaS38oNZ2ZVs0PSd2pygGPPFGGaZ7j7oZHi/1TjcuoKZ/G8=
X-Received: by 2002:a17:907:7da1:b0:a4e:6957:de25 with SMTP id
 oz33-20020a1709077da100b00a4e6957de25mr4974799ejc.57.1712069273963; Tue, 02
 Apr 2024 07:47:53 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
References: <AM8P250MB01705B564C0F9B2F460F56B0E2392@AM8P250MB0170.EURP250.PROD.OUTLOOK.COM>
 <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com> <CADyq6sLr=Zv0OmL55na0c6kGkaxvy9A8fJhptn71si8u7rzedQ@mail.gmail.com>
 <CAEKnhAGmDRMypM=fsWAroC6M6JcbwQRf7HYbb7n3GPNVQGvXjA@mail.gmail.com>
 <95c92b6a-6788-fddb-a130-e4d122338b68@php.net> <CAEKnhAG4AYy9wPzuVq3y_hqfjcWMDi8HtCkVQyL9Txoqogwz7A@mail.gmail.com>
 <CAO__Xv7=31W8FQgJ8xTokzA_qu0wo0bcVfOC7dKTMGGeOxmAhA@mail.gmail.com> <CAEKnhAEtuiQZ_7TpkwcONCeJ4=nOB-_UCHoJ+ojO1tGVNCmcWw@mail.gmail.com>
In-Reply-To: <CAEKnhAEtuiQZ_7TpkwcONCeJ4=nOB-_UCHoJ+ojO1tGVNCmcWw@mail.gmail.com>
Date: Tue, 2 Apr 2024 16:47:42 +0200
Message-ID: <CAJpLVh2qVLHwhg1+iPdxLWvZFgjZkL9-cjQxLwxLkMFsGjXu7Q@mail.gmail.com>
Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs
To: Jakub Zelenka <bukka@php.net>
Cc: tag Knife <fenniclog@gmail.com>, Derick Rethans <derick@php.net>, 
	Marco Pivetta <ocramius@gmail.com>, Ben Ramsey <ben@benramsey.com>, 
	Bob Weinand <bobwei9@hotmail.com>, Daniil Gentili <daniil.gentili@gmail.com>, 
	PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000e7d49506151e3012"
From: olleharstedt@gmail.com (=?UTF-8?Q?Olle_H=C3=A4rstedt?=)

--000000000000e7d49506151e3012
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

internals+unsubscribe@lists.php.net -  550 5.7.1 Looks like spam to me.

Can't unsub...?

Den tis 2 apr. 2024 kl 16:46 skrev Jakub Zelenka <bukka@php.net>:

> On Tue, Apr 2, 2024 at 3:35=E2=80=AFPM tag Knife <fenniclog@gmail.com> wr=
ote:
>
>>
>> On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka <bukka@php.net> wrote:
>>
>>> We will still need RM to sign the build so ideally we should make it
>>> reproducible so RM can verify that CI produced expected build and then =
sign
>>> it and just upload the signatures (not sure if we actually need signatu=
re
>>> uploaded or if they are used just in announcements).
>>>
>>> I think this should then prevent compromise of the RM and CI unless CI
>>> is compromised by RM, of course, but that should be very unlikely.
>>>
>>> Regards
>>>
>>> Jakub
>>>
>>>
>> On the side of the CI being compromised, this does happen, typically wit=
h
>> authed
>> private hosted CI, like jenkins. But if its open and accessible to
>> everyone to monitor, such
>> as github actions, everyone can monitor and audit the build logs to
>> verify the commands
>> ran and nothing unexpected happened during build.
>>
>> That is something PHP is missing atm, no one can verify the build proces=
s
>> for releases.
>>
>
> Yes that's what I was suggesting. This should be done by RM. In that way,
> the RM becomes more someone that verifies the build and not the actual
> person that provides the build.
>
> Regards
>
> Jakub
>
>
>

--000000000000e7d49506151e3012
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><a href=3D"mailto:internals%2Bunsubscribe@lists.php.n=
et">internals+unsubscribe@lists.php.net</a> - =C2=A0550 5.7.1 Looks like sp=
am to me.</div><div><br></div><div>Can&#39;t unsub...? <br></div></div><br>=
<div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Den tis 2 =
apr. 2024 kl 16:46 skrev Jakub Zelenka &lt;<a href=3D"mailto:bukka@php.net"=
>bukka@php.net</a>&gt;:<br></div><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex"><div dir=3D"ltr"><div dir=3D"ltr">On Tue, Apr 2, 2024 at 3:35=E2=80=
=AFPM tag Knife &lt;<a href=3D"mailto:fenniclog@gmail.com" target=3D"_blank=
">fenniclog@gmail.com</a>&gt; wrote:<br></div><div class=3D"gmail_quote"><b=
lockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-le=
ft:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><br><div c=
lass=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, 2 Apr 20=
24 at 14:53, Jakub Zelenka &lt;<a href=3D"mailto:bukka@php.net" target=3D"_=
blank">bukka@php.net</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quo=
te" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204=
);padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><div>We wil=
l still need RM to sign the build so ideally we should make it reproducible=
 so RM can verify that CI produced expected build and then sign it and just=
 upload the signatures (not sure if we actually need signature uploaded or =
if they are used just in announcements).</div><div><br></div><div>I think t=
his should then prevent compromise of the RM and CI unless CI is compromise=
d by RM, of course, but that should be very unlikely.<br></div><div><br></d=
iv><div>Regards</div><div><br></div><div>Jakub<br><br></div></div></div></b=
lockquote><div><br></div><div></div><div>On the side of the CI being compro=
mised, this does happen, typically with authed=C2=A0</div><div>private host=
ed CI, like jenkins. But if its open and accessible to everyone to monitor,=
 such</div><div>as github actions, everyone can monitor and audit the build=
 logs to verify the commands</div><div>ran and nothing unexpected happened =
during build.</div><div><br></div><div>That is something PHP is missing atm=
, no one can verify the build process for releases.<br></div></div></div></=
blockquote><div><br></div><div>Yes that&#39;s what I was suggesting. This s=
hould be done by RM. In that way, the RM becomes more someone that verifies=
 the build and not the actual person that provides the build.</div><div><br=
></div><div>Regards</div><div><br></div><div>Jakub</div><div><br></div><div=
><br></div></div></div>
</blockquote></div>

--000000000000e7d49506151e3012--