> On Mar 31, 2024, at 11:08, Robert Landers <landers.rob...@gmail.com> wrote: > > There are probably multiple parties that require trust: the people > hosting the CI servers, the people with access to the CI servers, the > RM, and maybe more that I can't think of right now. > > One option would be to have > > - CI push the code + generated files to a git-branch `php-8.3-built` > (or something) so that changes can be reviewed, along with the > tarball. > - CI signs the commit and tarball. > - RM checks out commit and, also signs the tarball, then does a git > commit --amend --signoff and "blesses" the commit > - RM releases tarball
When I was considering this and created a PR that followed these steps, I discussed the process with folks from other open source communities, notably the Apache Software Foundation community, since some of their projects follow similar processes. The notion of automating the build and signing it on a remote machine, only to be inspected and signed again on the release manager’s machine was outright rejected by everyone. The machine where it is signed by the RM should be the machine where it is built, according to everyone I spoke with. As it stands right now, if we build the tarball on a remote machine (in CI), and then the RM wants to compare it and build it locally, the hashes on those tarballs will be different because we can’t guarantee reproducible builds. If we could guarantee reproducible builds, then maybe this process could work, but it would still require the RM to build it locally from the source tag in order to trust and verify that nothing sneaked in on the CI machine. Cheers, Ben
signature.asc
Description: Message signed with OpenPGP
