On Mon, Apr 1, 2024 at 1:53 AM Ben Ramsey <b...@benramsey.com> wrote: > > > On Mar 31, 2024, at 11:08, Robert Landers <landers.rob...@gmail.com> wrote: > > > > There are probably multiple parties that require trust: the people > > hosting the CI servers, the people with access to the CI servers, the > > RM, and maybe more that I can't think of right now. > > > > One option would be to have > > > > - CI push the code + generated files to a git-branch `php-8.3-built` > > (or something) so that changes can be reviewed, along with the > > tarball. > > - CI signs the commit and tarball. > > - RM checks out commit and, also signs the tarball, then does a git > > commit --amend --signoff and "blesses" the commit > > - RM releases tarball > > > When I was considering this and created a PR that followed these steps, I > discussed the process with folks from other open source communities, notably > the Apache Software Foundation community, since some of their projects follow > similar processes. The notion of automating the build and signing it on a > remote machine, only to be inspected and signed again on the release > manager’s machine was outright rejected by everyone. The machine where it is > signed by the RM should be the machine where it is built, according to > everyone I spoke with. > > As it stands right now, if we build the tarball on a remote machine (in CI), > and then the RM wants to compare it and build it locally, the hashes on those > tarballs will be different because we can’t guarantee reproducible builds. If > we could guarantee reproducible builds, then maybe this process could work, > but it would still require the RM to build it locally from the source tag in > order to trust and verify that nothing sneaked in on the CI machine. > > Cheers, > Ben >
I think the big point is to store the generated files in git for CI builds. To verify the tarball is that commit, checkout the branch and untar the file, there should be no changes, git clean should result in no removed files, etc. This would make injecting malicious code visible, at the very least. Whether someone catches it and actually reviews the generated files is a different question. But if we wanted something that is better than nothing... it's a pretty simple solution. Reproducible builds is an orthogonal but related problem.
