Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130352 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: by lists.php.net (Postfix, from userid 65534) id 1498A1A00BD; Sun, 15 Mar 2026 16:02:12 +0000 (UTC) To: internals@lists.php.net Date: Sun, 15 Mar 2026 11:02:11 -0500 Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [RFC] php-community: a faster-moving, community-driven PHP. References: <839153A0-004D-4562-BD6E-65923201EDAA@gmail.com> <20260315141049.161081A00BD@lists.php.net> Content-Language: en-US Autocrypt: addr=ramsey@php.net; keydata= xsFNBGCHQTYBEAC6IU9aXEpVuLJNAzXwL7q9Vt1PkxJHr7kJynUg/3ISrOdJy2Ebola7GbEd vLZ69o+NbsL5vmOmT2AD0pEGfMgE9KWJ122iEfN4hrWThz+sHcVd/TKX9E98g+HTpoJGtYcp 6jYxG0YRP7dn1zSn9CawVJpMsoS2G0JZB/q2lIELoPRLMjicRDBEfamTPi3vyYiuf4vvCcYY z3AEMYirt5f7rBrVOs3FVBozEqrN2fPRWvFgTnhsQ8MEiq5/DMsnxFq2wgheAKPIAXhZiJFo KHsrpiAANEmGZBY2pbW05rBY1ZmJpi1yCrSk582cdPo2Ca+NrNEPJ9spoEinAtApp/orirJY bjKViWqmh7mYYyv/NAQKwGBE1up3tSGVj0rKG3f9seLvYsApHf0lhEQN/ypzC+pYDlSXzWxc Q8bifixb6XulaEgB5XOHwuvpTK6HoNNdZM44Fl+B/eAXaebL6Vh0P1EN/2DBr4FGNb8vlXdv Gxs7rJbJ8+aNmYeNIdg5qbYubNsO2fU7yw9kTDNTej63Ql1a0Md2wfZze8dZy6LJ/tL//IH3 JPd0jvT1y0LVIKoYVrIfv06zolVplqi72zfec1kpw0VR6dT/LyhBlyNumqJMRHdZlX4pUCpx 79pOonjHNTNuhjOPLlzai0ooWBtloDZfNGoFRVNNJv/hGvVM+wARAQABzRtCZW4gUmFtc2V5 IDxyYW1zZXlAcGhwLm5ldD7CwZQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AW IQQ5tkE0PYwQSysUbcP5w53AuWmFRAUCZ0+z5QUJCrEVAgAKCRD5w53AuWmFRLkPD/9m2OrW H4oXvgbxxmwSKruWndrQda/1WwfMCjWI1uc6fJfZZlN6SHQ//HXi84ZTttDNOSjOl40g6UkB At+No9gJkTELe6bLJ/v2apJ3tothdQltJ/AQJ1Nvong+cv0QGdw6VeQmb/gh5PSfo427N95N d0BDZVFERqU7NnnZv/T+LUDJBXUESSIDTM6KCWA9EU5Nc9P1D/1GlIza9s5H3VA5fMFwuK4H 2CuKyPdLhsk6lvdl5yHUN81w+Z6Jue9DzfW9N4Z1//CzM8dVP2TVaTmVGDr/CekvwXTNZ4kN ylDJCS+KKQr7oXkltWo2xlX7oPP8LNk2fU/XMVDS8vgYiuGMKw94gyVOBe/dwFcQCT7mVyXI l/sMqmXqDhGnCFZwL9sfFbfDDl9NFzNRG7c4pNMfmQLdnVBqGg05uDze0x50G12/65bT5U3y eCPIjtHLTqYWFOlWJ67UlQ4AJDTWOlq4ccBRGtIIuHQ5gxn6zfbvCvMiUA9A/diWuVXWy/u0 Rbq89ton5x3tRsHa+C0cDoiOBJ9Q5mHAqtz+VzZh9PStPCOIvSohm/XzcBv9bHxJyMrYMmQZ mCuDKf1AK6rqN4YHqQMvpFFLMQyo1EYol8yxLiO+H4uOCFrHu/kwotfK61TH9LsxgHUo1Dl/ vHtU8KMqb2KpwMllMexpn/cz0fFmL87BTQRpJQwSARAA68JT0pKCseOkCE8lrV1fdyfAHpZl Gr4QypMABxcE3fNjD2uUm3RIUdHvV64u+M/braCs9JFI7V+f0f9Jdsa1zKqvvNOgIgp6jgtu b9cBv66g9i92XFDll50rlMYYGe5nJnQaQtwIUxdqrdHyjqexz+tWcZKbacsvAZun5pjeXXoW INmPl9sRoLP8QF02LNwVi0/nNbHl4N2fC4Cm5qDLBPneqDeN+akos5uf+lUbF0Ymf9JB10qQ HEeB/Eezaiy2DPkFnk/1n/Qc/B/5HDjwNW1M2uzZ2yVOM726fZlU5tw0QIr5nawFgGJcxR4E 0FGvvpMMBjfHoFy2jshKLSJzRY6mZV5Dq8wPXtb925Ut1rmu4PrU9YEFW/umsWxXSasvqwsJ SH8/Gz/odv2sxfJxyu6rTNJnLGx3pyfhZHOoPrqyvykHgC7d6v6jpn7Ih9Pk5Bg1/VBkEoLp 8uS0D9jhUkU9cJyyC8reJK3RKx0oCi14F+oGSa8C5bUqXPfWESCaZXbvbS9hyJlkBGCl0P7X sVyyJyRsdjSWBm1t7x0tNQzLlZWQ5AeHtUYW4IsfRwuQVDQW5OEhJy/FSjuf6Cnihv3jsFo6 7RXHvM7EwKUdwFg00pIW9Q2BSmB1K8TETxuno8vmnswJmaSrNlgPUnk986inabiSTOgwhZnp yZ/JOIEAEQEAAcLBfAQYAQgAJhYhBDm2QTQ9jBBLKxRtw/nDncC5aYVEBQJpJQwSAhsMBQkC E0xzAAoJEPnDncC5aYVEr9oP/iZ2CmxEYafXTgpJKvQ6plCoYjh/jyyHGjmfVc6z7niHWBAP kesk5wsXfy74g1rB8VMOAPuvDSdqx6YumhRh26PwgPVPsVZrw6J2n5mgMg6Lx0O22eS4rZEY MqtjlrFHfPQPHkpnJkynOH9RXtGibLdXgOC5ydPoAeA7Hg7Yxs33RbE65M9pjlWfvnT/mWCD Tc2iSN2Mbmkwf4b4o2lRfqRv42v9khN/TtZ1QQ5UYrevG+Tzoe53MRtfBizWQicg36OB5pok 2sa3tqq/08feLiPMJulMXNfCIsZdKPhjWAS+MpeKMeqHQ8CqLV27DHpBkD7JD4SaAquGjSpo S1wigBW8xDDyojeQ8itKLwc2AZk7KLd9I4I3xdmCInlobx9Irg3sv0GphzDLhUDppFW+qhQi BWOqCmVb3785peZaIygwPz+vA7NnZEtrtNGISzyRG+6OXkVg3uIL5lnclGqVrkYke2xWSJs+ nb2qb6GKavsQWu0U2viSbOyB0M1X7z3lAfoZotrWgjcGITmKchnJEGH+jbgqZAd+GkMaSPb1 DK2Owi0N9zkenK4iK59YQMS+1FQ2jl0LASxpM4Z8TTGltMlPf0zLfvl53G6zy7PSwWQb/9HW lriTmGFIiYCxyeMfpFgJxK3CLFq7qqF2bh4s8Z84m8qPDbW5XWgzEe+vZoCH In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Posted-By: 96.61.170.179 Message-ID: <20260315160212.1498A1A00BD@lists.php.net> From: ramsey@php.net (Ben Ramsey) On 3/15/26 09:55, Daniil Gentili wrote: >> >> >> I worked on an automated release workflow[^1] for php-src a few years >> ago, but after discussions with others from various major project >> communities (including Apache, Linux, etc.), I realized the solution >> wasn't workable for one main reason: >> >> An automated workflow cannot sign builds and still be considered secure. >> >> Builds must be signed by a human on the machine where the build took >> place. Automating the signatures in the cloud significantly reduces >> trust and greatly increases the likelihood of a bad actor gaining access >> to sneak things into the build (e.g., through compromised GitHub >> Actions, etc.). >> > > I strongly disagree. > > I have way more trust in an automatic build environment with reproducible > (key word here) builds than in a (potentially corruptible) human that > pinkie swears no changes were made to an autogenerated configure contained > in released tarballs. > That's why the builds are signed, and the keys used to sign the builds are also signed by other, trusted parties. If the human who builds it introduces any changes, we can trace it directly to them because they signed that build. If their key was compromised, they revoke the key, and the build's signature now shows as valid but using a revoked key, so others know not to trust it. Cheers, Ben