Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:77705 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6597 invoked from network); 29 Sep 2014 17:21:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Sep 2014 17:21:08 -0000 Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.215.10 cause and error) X-PHP-List-Original-Sender: johannes@schlueters.de X-Host-Fingerprint: 217.114.215.10 mail.experimentalworks.net Received: from [217.114.215.10] ([217.114.215.10:43871] helo=mail.experimentalworks.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 07/23-18131-30599245 for ; Mon, 29 Sep 2014 13:21:08 -0400 Received: by mail.experimentalworks.net (Postfix, from userid 1003) id 9545542549; Mon, 29 Sep 2014 19:21:16 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on km31408.keymachine.de X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=ALL_TRUSTED autolearn=unavailable version=3.3.2 X-Spam-HAM-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Received: from [192.168.2.34] (ppp-93-104-18-61.dynamic.mnet-online.de [93.104.18.61]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: johannes@schlueters.de) by mail.experimentalworks.net (Postfix) with ESMTPSA id B332D42546; Mon, 29 Sep 2014 19:21:14 +0200 (CEST) Message-ID: <1412011256.18768.6.camel@kuechenschabe> To: Pierre Schmitz Cc: internals@lists.php.net Date: Mon, 29 Sep 2014 19:20:56 +0200 In-Reply-To: References: <0cb6f4a2d771155c6cad865f945e98e6@archlinux.de> <46ABAB22-F304-4BC3-A3AE-02DE462565D2@lerdorf.com> <1412003052.13103.30.camel@kuechenschabe> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-Pw7HsYHICJ6FkKRG82yw" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Subject: Re: [PHP-DEV] Re: What happened to the 5.6.1 release? From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=) --=-Pw7HsYHICJ6FkKRG82yw Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2014-09-29 at 18:35 +0200, Pierre Schmitz wrote: > Am 29.09.2014 17:04, schrieb Johannes Schl=C3=BCter: > > On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: > >> >> Actually, some php.net machines have been compromised and prevent u= s > >> >> from releasing 5.6.1. > > [...] > > Q: Is the git repo affected? > > A: No. The infected box is a different one. git's cryptographic commit > > identifiers and distributed antature along with out automatic mirroring > > to github serve as further mitigation for potential issues. >=20 > This sounds like it wont be that bad of an idea to build directly from a= =20 > git tag if you know how. Together with signed tags this should be more= =20 > trustworthy imho. I don't see a huge downside here. In a general case this might lead to issues due to different behavior by different autoconf or bison or whatever versions. The issues might go from failing builds over slightly different error message on parse errors to something completely weird. In recent years we had little of these issues ... so if you feel confident with using git, buildconf and these extra tools you can do that. > I wonder if one could replace that release server with a simple vagrant= =20 > setup or similar so the RM can actually create release archives on his= =20 > own. Still you have to make sure the base box image and puppet (or such) scripts are hosted on a proper box. Might be good if somebody looks into this, when doing mind that snaps should be created using the same toolchain. johannes --=-Pw7HsYHICJ6FkKRG82yw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAABAgAGBQJUKZT8AAoJEH3sTmn8nIPXcmQIAIf5Jw6CyE6iq7oXLOD6WhKT X8e/s1UtBq2ZKTztap53+xOlvM7qMd9bqDdZNnaUP5KpTwMUY1R3GecGyqCEF2Jn DLpE/zDm4l5a5a8S0R5oPlbizWBD7D5cYnnJR6OoqC2oKHElaTyVhyvwYyNayXQ6 eu2nP5TZOJMghUojbUyZK+5rtGgs7C3BuwAhSD4wqCirhUELQVXGttT5WH+Ik6Fn 2nW45b9/Ilf4DmK0A8a8XARY5Qb2QX+5o1EY2ZeImvI9SvC5tardT/U/iZcgjNEN j39jclFDjCV+Kl0/pj0iPFmD6Yn1MVxWJanfZM8B4DzHsfRu5Pcw0obyxatRmIE= =ykQl -----END PGP SIGNATURE----- --=-Pw7HsYHICJ6FkKRG82yw--