Hello,
Would it be possible for php.net to publish a cryptographically signed
(e.g. openssl_sign() with a RSA private key kept offline) list in a
pre-defined location (e.g. /stable_versions.txt) so that scripts can be
written to read (and cache) the latest stable versions?
I'm going to write a killswitch module that can be included in any PHP
project that basically does this:
- fetch stable_versions.txt
- verify RSA signature
- check
phpversion()and the stable versions listed - are we running a stable PHP version?
4-yes: cache result for 24 hours to prevent redundant lookups.
4-no: kill script termination, explaining that PHP is out of date and
needs to be updated
The idea is to remind and motivate the sysadmin to keep their software up
to date to prevent known security vulnerabilities from being exploited.
If you are not okay with this, I'm going to write/publish the killswitch
configured to look at my own server. :)
Scott
Hello,
Would it be possible for php.net to publish a cryptographically signed
(e.g.openssl_sign()with a RSA private key kept offline) list in a
pre-defined location (e.g. /stable_versions.txt) so that scripts can be
written to read (and cache) the latest stable versions?I'm going to write a killswitch module that can be included in any PHP
project that basically does this:
- fetch stable_versions.txt
- verify RSA signature
- check
phpversion()and the stable versions listed- are we running a stable PHP version?
4-yes: cache result for 24 hours to prevent redundant lookups.
4-no: kill script termination, explaining that PHP is out of date and
needs to be updatedThe idea is to remind and motivate the sysadmin to keep their software up
to date to prevent known security vulnerabilities from being exploited.If you are not okay with this, I'm going to write/publish the killswitch
configured to look at my own server. :)Scott
Hi Scott,
I already do something similar to this for some of my CI, ensuring
tests pass on new versions of PHP.
I use the following shell script snippet to check for new versions (If
there's a diff I parse the output with PHP to find which new
version)
git ls-remote -t https://github.com/php/php-src | cut -d '/' -f3 |
grep -P '^php-5.\d+.\d+' | sort -V
Maybe you can use this too. You can add an end assertion to the regex
to omit RC/beta tags.
Regards,
Leigh.
De : Leigh [mailto:leight@gmail.com]
On 7 January 2015 at 12:52, Scott Arciszewski kobrasrealm@gmail.com
wrote:Would it be possible for php.net to publish a cryptographically signed
(e.g.openssl_sign()with a RSA private key kept offline) list in a
pre-defined location (e.g. /stable_versions.txt) so that scripts can be
written to read (and cache) the latest stable versions?I already do something similar to this for some of my CI, ensuring
tests pass on new versions of PHP.I use the following shell script snippet to check for new versions (If
there's a diff I parse the output with PHP to find which new
version)git ls-remote -t https://github.com/php/php-src | cut -d '/' -f3 |
grep -P '^php-5.\d+.\d+' | sort -V
And what about extracting the information you require via the github API ? Exploring the release information for the 'php/php-src' project, you would get all the information you need. Once you know the names of every available releases, it is quite easy to determine if your current version needs upgrading. You can even display how many days passed since the last stable release, how many days your version is late, etc. I am not a specialist but github can probably provide the security level you require.
Regards,
François
(cross-posting to php-webmaster as well)
Would it be possible for php.net to publish a cryptographically signed
(e.g.openssl_sign()with a RSA private key kept offline) list in a
pre-defined location (e.g. /stable_versions.txt) so that scripts can be
written to read (and cache) the latest stable versions?
My initial gut feeling is that, with at least three different sets of
RMs at any given time, the process of co-ordinating when to update
this file after a release day, who would own it, and just having it
done in a timely fashion is probably beyond what we should commit to.
I fear we'd be setting an expectation that, at some point, we'd fail
to meet. I also don't think we should add to the already considerable
load our RMs are under on release days.
("We" here means RMs and regular php-web committers, to be clear.)
That said, if you're OK trusting HTTPS and can do without the manual
signing step, we have an unadvertised JSON backend that can provide
the stable release information you'd need:
https://php.net/releases/active.php. This is used by the bug tracker
in conjunction with pulling version information from qa.php.net, so it
should be reliable.
Adam
That said, if you're OK trusting HTTPS and can do without the manual
signing step,
I'm not and cannot. After Diginotar and the Snowden revelations, I place
zero trust in CAs. :)
we have an unadvertised JSON backend that can provide
the stable release information you'd need:
https://php.net/releases/active.php. This is used by the bug tracker
in conjunction with pulling version information from qa.php.net, so it
should be reliable.
Excellent! This is a wonderful starting point :)
Hi!
https://php.net/releases/active.php. This is used by the bug tracker
in conjunction with pulling version information from qa.php.net, so it
should be reliable.Excellent! This is a wonderful starting point :)
Note also that while this API does not list it, every release now also
has crypto signature uploaded together with the package - just add
.asc to the filename. RM's public keys are listed on
http://php.net/gpg-keys.php
Stas Malyshev
smalyshev@gmail.com