Hi!
That is something PHP is missing atm, no one can verify the build
process for releases.
Yes that's what I was suggesting. This should be done by RM. In that
way, the RM becomes more someone that verifies the build and not the
actual person that provides the build.
I'm not sure though how the RM can really verify it. I mean, we have the
tar blob that comes from the git repo - which we assume is legit. We
also have some files that aren't in the repo. If RM builds them by
themselves then the question comes up what if RM's environment is
compromised and something bad is injected. If RM receives the files from
outside source, how the RM verifies they are genuine? I don't think
reading through the whole "configure" file and verifying it's not bad is
realistic for any person. And from what I understand, "configure" and
such are quite environment-dependant, so you can't just have a standard
hash to compare to. You can't have the RM to just run "buildconf" again
and do hash check because they may get different bits than the ones
coming from the outside, like CI. I dunno, maybe if we had some kind of
Docker image for generating it that would produce reproducible result,
that'd be possible? Otherwise I am still not sure how the verification
procedure looks like.
Right now as I understand we're simply trusting the RM that they have
uncompromised environment and third parties have no way to verify it's
the case. But I guess it's time we do better?
Thanks,
Stas
