Hi On Sat, Mar 30, 2024 at 1:39 PM Daniil Gentili <daniil.gent...@gmail.com> wrote:
> Hi, > > > >The idea is that we would setup worklfow on CI that would run on tag push > and it would call (authenticated https request) downloads.php.net server > that could do the actual build > > I strongly believe that source tarballs should contain *only* the source > code contained in the VCS. > That would break lots of tools as it requires extra dependencies so it is not something that would could in stable versions. It is also pretty standard thing to distribute configure files (which is the file that probably matters most). Also don't forget that we need to also provide Windows builds which are binaries so we need some sort of verification of this type in any case. > > Distributing "half-built" source code (even if it's generated by a CI, and > especially by a build server on downloads.php.net, which can be > compromised) defeats the reproducibility and transparency purposes of > building from source. > It would require compromising the CI as well as the download serves happening at the same time which seems to me like an impossible scenario. Regards Jakub
