Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130344 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id DFFAF1A00BC for ; Sun, 15 Mar 2026 14:55:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1773586550; bh=M9GBeihiHf6ROR7Os0fDDqjccaXWxDptYT/2bdNEkB4=; h=References:In-Reply-To:From:Date:Subject:To:From; b=i//cc4aR52ActmnYiHvi6oBFn6l+6q8YhNztfhr6Jvo/ASJoerA/T5ymxDUF70Ay2 tqGUv7ftKUa1yNb6k2WOmsc9wuwpsxyEl1NBnV56ijZROSTd/rtKpQXtgvCupHUhRl 1m+hmkl7Zw4wdsQzIg/LvGavkI+6n8tVBEc6Qy6KLwV0cc7FbXBlSjctapTrYyT6z7 nqWMBSZu9YL49SG3l3PKRAW69wAfZyDPzSde44TTOEAT6Z7rgG0ZkVUeGWECTefO0Y e5LSSNm/KChxEXMRrsuwBA5JqFUlHyMri6YlhGr9a2gkHGKbZFs6hwqdB4fx5oRVv3 1t2tXyDRpTwNw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id D4A1018063C for ; Sun, 15 Mar 2026 14:55:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FORGED_GMAIL_RCVD,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 15 Mar 2026 14:55:49 +0000 (UTC) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-439c6fc2910so2895362f8f.0 for ; Sun, 15 Mar 2026 07:55:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1773586543; cv=none; d=google.com; s=arc-20240605; b=LFx5eA/Z/1a+ONMpF4EyxAjWE+6PvSHs+ncomZ5XIaPigbc047CWry2dlzD1i5DKEc JimRSxbymp9cfyHq6J303Ff4D4B7613WLmrNX3uHuU7qOPBKRHjKpnYabppM+08NEGee u83oRF3aiyd54onZjCTdtDf6la7/MZmP1IYz7WHx/CIg4qrzYgRH0O4cakGFSFWDkKg1 8WISrqw2vLGnT6IVAGDtaKxCcdaAMB23HsLAapd1Oajs4JNqhut/rjA68UGG6g6VoeF+ lQaZ/VH1cHm0eXdl95KmcaohRjk8qN7f6EdWUMxyeFNbvzkf3lADKRT5HVWZm0mgXByq pKTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=M9GBeihiHf6ROR7Os0fDDqjccaXWxDptYT/2bdNEkB4=; fh=+XjrG5mdaMe30oObbz8HY14N3lew8y0QgemI/nV4VVI=; b=KntoeS6G2I59Yg601Nme8ftV9kFaH34MgaeVJ2WlNCo5PfJvk5kFXgxOdjGBWeSGM8 sUff6ccGLhcwXD26o2jR/qRvmKuzK7c0zgApXW3HQHXJ5kM/9YB1wgYGSdFVHvBhifLL tKywOaT3F/An5DbFhfAfLCvVg5ZRMBfwoqiqbxa6o97Rgk3yPaDyQLgwsD3kmSo/xWAy 5DCkNPajU6qoOjRZ5CnjaIok4Fcpm00fz5xlZqqom/PBBAyGxR3jbBEItiJlEl56NkUR tiMzCzgws67rMOzbvcxEAEJinBb1pK9hyNBndn8ny3sR1cyXtze9qh9Kfof0TL3bvbrn K1Hw==; darn=lists.php.net ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773586543; x=1774191343; darn=lists.php.net; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=M9GBeihiHf6ROR7Os0fDDqjccaXWxDptYT/2bdNEkB4=; b=IjzOZtRlKZDeEPsrjTm/H30MqbtWisF0AjJtHlSQ4XICZ/qHDkrJX2YyUSiY8onYRz kxE+qlfbP7QXGsmIxEoWuZ4rSnCgZeviBwbjjYR9zQmJe8nKLXKcWimmHl0eGwIHZw1o NswnBAz12IMAuJcFhjl2qc9VaFd1VQNBHWLdeEDa6Bxzoc4AIZoI9QhEtMUqZzG6FzNT f7ZAn74oioPxiZcltlRiVToLzNP6AUidsNtLzCvIDx0cuYAYS8DjWj45SRv31UNfDloW q3RxztsqCzXbgMGLhhiIDzFL9ADkrfNl9VdzPN3VKZ7NiJV9Oynv9pWbgyXFfTphGwrw hXNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773586543; x=1774191343; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=M9GBeihiHf6ROR7Os0fDDqjccaXWxDptYT/2bdNEkB4=; b=l3+t6vvKyP2xwHrABW2GLPa9oT5qxMX18pnC0BhQ8wvtcgNvDRSYna33FmYZDn2doV Losl3fT9tmCd4ESNW42inuq3y/P7Y43yokteQ4B82wXQjjM1uhlaxMecMyIVNQp5yuIB IJWRihRfKJDsSKv5pXFIfJ7gtxxrwNR/uqk1yiP9qO37oNFBZoQ6/7hSpm1ycj8yq5+M IwRQex64fUkrjhK2QGHzD8K7P0gZ7k23F2xHImL2EoTrlNZnfCiuQMHd9LzDAOs1E4Bb 4otkg8M1oPGVH8bKJQv8r0L0SUP4F3szehflwtlQ9y0ifq7KSblZhwdGMr/xqHBefhJ7 TtAA== X-Gm-Message-State: AOJu0YxtELO4c0hY4CTI0zHxZMy/VSrLxDZxlhKCm9DSLQ3hFk/Gh6z2 VYTADd2u1/NUdOU4DHDdE2OM//sGe2voTzcgKfb/K/PyYAmFQDrU3WLm3oMpr3rcpuyS8gw7XK8 99Zfl23KoGf6N0x3f9Msu2u1+PD5CkyW2ug== X-Gm-Gg: ATEYQzywnuvDCVgTrXx97AiCvG3BZuX2JepZij1xUsxt+yKQ3IoDNVlkFRE8+IgGkjA SaPsl/BDm63G+MM7dJeI6hhJsXauGVwhZ5WfxpgcPdQfp454TfuBdVMHiTOwqhTU32Gm+bCju+1 vUSQoDrj0P1Ryak0Ai9cVRY1w2G6pB8UOWrOPo4poZmfSI/UcNBxMRQZXrS/M7uOmVJldM1G8O9 1nXMGtxRLI81Yp7Jdjazh5jwLtA4ZTKgyNd713flxecsK4a9RCzrrzpYP6RJLmcbqCOn1SkspGt rMAIUFHJWRku1U/xBE55aeg3NEip/Btua93O X-Received: by 2002:a5d:4288:0:b0:43a:c70:6f0d with SMTP id ffacd0b85a97d-43a0c706f6dmr8759322f8f.20.1773586542846; Sun, 15 Mar 2026 07:55:42 -0700 (PDT) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: <839153A0-004D-4562-BD6E-65923201EDAA@gmail.com> <20260315141049.161081A00BD@lists.php.net> In-Reply-To: <20260315141049.161081A00BD@lists.php.net> Date: Sun, 15 Mar 2026 15:55:30 +0100 X-Gm-Features: AaiRm51fxmqME5l3MNVCBYUZIVgcOtvjnI7vCRx3LiOKzcj_QR2LigfzR6VUqp8 Message-ID: Subject: Re: [PHP-DEV] [RFC] php-community: a faster-moving, community-driven PHP. To: PHP Internals Content-Type: multipart/alternative; boundary="000000000000dd6a7d064d114b8a" From: daniil.gentili@gmail.com (Daniil Gentili) --000000000000dd6a7d064d114b8a Content-Type: text/plain; charset="UTF-8" > > > I worked on an automated release workflow[^1] for php-src a few years > ago, but after discussions with others from various major project > communities (including Apache, Linux, etc.), I realized the solution > wasn't workable for one main reason: > > An automated workflow cannot sign builds and still be considered secure. > > Builds must be signed by a human on the machine where the build took > place. Automating the signatures in the cloud significantly reduces > trust and greatly increases the likelihood of a bad actor gaining access > to sneak things into the build (e.g., through compromised GitHub > Actions, etc.). > I strongly disagree. I have way more trust in an automatic build environment with reproducible (key word here) builds than in a (potentially corruptible) human that pinkie swears no changes were made to an autogenerated configure contained in released tarballs. > --000000000000dd6a7d064d114b8a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

I worked on an automated release workflow[^1] for php-src a few years
ago, but after discussions with others from various major project
communities (including Apache, Linux, etc.), I realized the solution
wasn't workable for one main reason:

An automated workflow cannot sign builds and still be considered secure.
Builds must be signed by a human on the machine where the build took
place. Automating the signatures in the cloud significantly reduces
trust and greatly increases the likelihood of a bad actor gaining access to sneak things into the build (e.g., through compromised GitHub
Actions, etc.).

I strongly disagree.

I have way more trust in an automatic build environment with re= producible (key word here) builds than in a (potentially corruptible) human= that pinkie swears no changes were made to an autogenerated configure cont= ained in released tarballs.
=
--000000000000dd6a7d064d114b8a--