Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122886
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 3E99C1ADCB8
	for <internals@lists.php.net>; Tue,  2 Apr 2024 18:05:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1712081171; bh=vch5uf8fFu6PZoNn+zQ9jnPBwNK+L1YD9aXMQ3r6epM=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=RErUfoPZgy+OlnxwW6U6sxa45EokN/oOpB3RcSu5VC7id+QPUBklE3+02GHF+Cfp0
	 rYwoLn0PJRwAA52mwyE7lO3spSgzJPGRyTTlBi32tWqNtxl4TaPNc6aMervOsCA1ti
	 vjtDdiM857yCEO51+aiZ5KTcuOQJFgisqU0Ho96pb3TYbWBj4t30Rpd1M04RMHNpc5
	 uFmQ6/0sq3ZZ0Z0JnzTBWfzcaZ+aMZsP8bAxaQO5PkfCUkjWxqqCiI6O9hydUZlC51
	 sy+myG9bOC8pV4B2YXi1YzoSDDmILWIv1OLDCYSjTNB5atMEdnQhkm1tUNPihRHbV8
	 cBQeqTpmXfQ/A==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 096F1180C79
	for <internals@lists.php.net>; Tue,  2 Apr 2024 18:06:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <smalyshev@gmail.com>
Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue,  2 Apr 2024 18:06:06 +0000 (UTC)
Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-6e6fb9a494aso4450837b3a.0
        for <internals@lists.php.net>; Tue, 02 Apr 2024 11:05:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1712081137; x=1712685937; darn=lists.php.net;
        h=in-reply-to:from:references:to:content-language:subject:user-agent
         :mime-version:date:message-id:from:to:cc:subject:date:message-id
         :reply-to;
        bh=KGwbfTm5R0glk4AiAv2oNgO79Klhugvl1qJSFAuHGVM=;
        b=PmXHFs59HF9pkyy9OPUw2kHvWUCSM7aaZa7AT3zM67Faw39ICrIcr78ktBtLGQ617m
         610NiObJf0+RGr9YHIR4grF9wzj06FpzqFCBa6Az00nozFNsFGAfVNjbAURyEt0ONjcl
         Pxl0bUY4u6LAwgF6N4zkftfNs0lr5/4Gyb4cZmwj+GG/VtKzwRSIpaaY5+/v/xpHKUMM
         kbhHTAd7t7b/B5V/VCzFNeRZGYjwW7nXGwh86/NiznFzfq9556bbsfdOUuLXVE8NkBQ1
         tgyuR210fRoxa1XXn/M+SLn0ChL/t0Z1zDqjhyne+1bkQqrz11nkH63w1ASVBFAuUq6C
         bWhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712081137; x=1712685937;
        h=in-reply-to:from:references:to:content-language:subject:user-agent
         :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject
         :date:message-id:reply-to;
        bh=KGwbfTm5R0glk4AiAv2oNgO79Klhugvl1qJSFAuHGVM=;
        b=P15g4hpn+lqK3h1mbn6JfV6pTWXWWO47np78voe+PzuRy/xw032Zyl1A/oNqIJj4va
         guB1/wvwZqOJMcbuZtuQys1Bk65PnjKLc19n0def+1DlPkSESu6E2QNWHCvdOUAwTjRo
         E0mwXhVhVmYnnCCV1WZjOLJqZ2Dis532Q6c1YaIW98qar5EhagGpP09SFNXXtTDJGGr2
         lvq9V/ZJ2+pnD1uF6OyqyrFUc5PXmhukoanwjIukVm+H7gdqQNME7e9asMupMBvUN2Fe
         GBBuxiHi7DzjYj+amVKEeoXY3N/isxpYtr+ZrOo3+O/IBbCDQPofFgBxm3Ixh1gG0oCd
         GOkg==
X-Gm-Message-State: AOJu0Yz/po/vVHpZtT/Ep3b4eVKIKj4I5xnwCoCjJPnEakfnZvhLGBQ3
	KX1vz83RbRuadVLHsz/9lm4u+oPXsLWRzAONmBPnS73DKgmwh1OyBQK0UGQ=
X-Google-Smtp-Source: AGHT+IGVv/h3CWSMXG5nrPwajNo4nTKFnHA8ckRq9J04yYmFTyHvOjtM+xMOkRnJEHC8qRXRgLvr3Q==
X-Received: by 2002:a05:6a20:e608:b0:1a6:fbb5:23c0 with SMTP id my8-20020a056a20e60800b001a6fbb523c0mr12035338pzb.19.1712081136602;
        Tue, 02 Apr 2024 11:05:36 -0700 (PDT)
Received: from [192.168.0.15] ([174.27.207.86])
        by smtp.gmail.com with ESMTPSA id b20-20020a631b14000000b005cfb6e7b0c7sm10023366pgb.39.2024.04.02.11.05.36
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 02 Apr 2024 11:05:36 -0700 (PDT)
Content-Type: multipart/alternative;
 boundary="------------IbzMe5nCJnoMe8wJ9Orn5FkH"
Message-ID: <ef7edce7-8787-4eb0-8fba-254168e1d266@gmail.com>
Date: Tue, 2 Apr 2024 12:05:35 -0600
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] Consider removing autogenerated files from tarballs
Content-Language: en-US
To: internals@lists.php.net
References: <AM8P250MB01705B564C0F9B2F460F56B0E2392@AM8P250MB0170.EURP250.PROD.OUTLOOK.COM>
 <9008050F-4EE1-4E19-B513-654602E118A7@benramsey.com>
 <CADyq6sLr=Zv0OmL55na0c6kGkaxvy9A8fJhptn71si8u7rzedQ@mail.gmail.com>
 <CAEKnhAGmDRMypM=fsWAroC6M6JcbwQRf7HYbb7n3GPNVQGvXjA@mail.gmail.com>
 <95c92b6a-6788-fddb-a130-e4d122338b68@php.net>
 <CAEKnhAG4AYy9wPzuVq3y_hqfjcWMDi8HtCkVQyL9Txoqogwz7A@mail.gmail.com>
 <CAO__Xv7=31W8FQgJ8xTokzA_qu0wo0bcVfOC7dKTMGGeOxmAhA@mail.gmail.com>
 <CAEKnhAEtuiQZ_7TpkwcONCeJ4=nOB-_UCHoJ+ojO1tGVNCmcWw@mail.gmail.com>
In-Reply-To: <CAEKnhAEtuiQZ_7TpkwcONCeJ4=nOB-_UCHoJ+ojO1tGVNCmcWw@mail.gmail.com>
From: smalyshev@gmail.com (Stanislav Malyshev)

This is a multi-part message in MIME format.
--------------IbzMe5nCJnoMe8wJ9Orn5FkH
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi!


>     That is something PHP is missing atm, no one can verify the build
>     process for releases.
>
>
> Yes that's what I was suggesting. This should be done by RM. In that 
> way, the RM becomes more someone that verifies the build and not the 
> actual person that provides the build.

I'm not sure though how the RM can really verify it. I mean, we have the 
tar blob that comes from the git repo - which we assume is legit. We 
also have some files that aren't in the repo. If RM builds them by 
themselves then the question comes up what if RM's environment is 
compromised and something bad is injected. If RM receives the files from 
outside source, how the RM verifies they are genuine?  I don't think 
reading through the whole "configure" file and verifying it's not bad is 
realistic for any person. And from what I understand, "configure" and 
such are quite environment-dependant, so you can't just have a standard 
hash to compare to. You can't have the RM to just run "buildconf" again 
and do hash check because they may get different bits than the ones 
coming from the outside, like CI. I dunno, maybe if we had some kind of 
Docker image for generating it that would produce reproducible result, 
that'd be possible? Otherwise I am still not sure how the verification 
procedure looks like.

Right now as I understand we're simply trusting the RM that they have 
uncompromised environment and third parties have no way to verify it's 
the case. But I guess it's time we do better?

Thanks,

Stas

--------------IbzMe5nCJnoMe8wJ9Orn5FkH
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Hi!<br>
    </p>
    <br>
    <blockquote type="cite"
cite="mid:CAEKnhAEtuiQZ_7TpkwcONCeJ4=nOB-_UCHoJ+ojO1tGVNCmcWw@mail.gmail.com">
      <div dir="ltr">
        <div class="gmail_quote">
          <blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
            <div dir="ltr">
              <div class="gmail_quote">
                <div>That is something PHP is missing atm, no one can
                  verify the build process for releases.<br>
                </div>
              </div>
            </div>
          </blockquote>
          <div><br>
          </div>
          <div>Yes that's what I was suggesting. This should be done by
            RM. In that way, the RM becomes more someone that verifies
            the build and not the actual person that provides the build.</div>
        </div>
      </div>
    </blockquote>
    <p>I'm not sure though how the RM can really verify it. I mean, we
      have the tar blob that comes from the git repo - which we assume
      is legit. We also have some files that aren't in the repo. If RM
      builds them by themselves then the question comes up what if RM's
      environment is compromised and something bad is injected. If RM
      receives the files from outside source, how the RM verifies they
      are genuine?  I don't think reading through the whole "configure"
      file and verifying it's not bad is realistic for any person. And
      from what I understand, "configure" and such are quite
      environment-dependant, so you can't just have a standard hash to
      compare to. You can't have the RM to just run "buildconf" again
      and do hash check because they may get different bits than the
      ones coming from the outside, like CI. I dunno, maybe if we had
      some kind of Docker image for generating it that would produce
      reproducible result, that'd be possible? Otherwise I am still not
      sure how the verification procedure looks like.</p>
    <p>Right now as I understand we're simply trusting the RM that they
      have uncompromised environment and third parties have no way to
      verify it's the case. But I guess it's time we do better?</p>
    <p>Thanks,</p>
    <p>Stas<br>
    </p>
  </body>
</html>

--------------IbzMe5nCJnoMe8wJ9Orn5FkH--