On Sat, 30 Mar 2024, Jakub Zelenka wrote: > On Sat, Mar 30, 2024 at 7:08 AM Marco Pivetta <ocram...@gmail.com> wrote: > > > > I understand that the XZ project had signed releases too: that still > > means that downstream consumers would need to trust the release > > managers anyway, and reproduce the whole chain themselves. > > > > I suppose that's part of OP's concern. > > > I agree that compromised RM is a problem that we should look into. > > We have been actually already discussing something similar. I have > been thinking about it and it could be potentially used for all > builds. The idea is that we would setup worklfow on CI that would run > on tag push and it would call (authenticated https request) > downloads.php.net server that could do the actual build, sign them and > return the hashes to the CI job which would display them and do extra > verification (probably its own build to verify that download server > work as expected).
... > It needs more thinking to iron out all details and make sure it is a > secure but I think it would be something worth to look at. I don't mind coming up with an automated way, but we probably should not use the *downloads* server. All it does is serve files. It has no compiler or anything else. It's a storage optimised instance with little CPU. On CI we already test the builds, what does stop us from also just having it make the tarball and attach it as an artefact? We can then setup somethin gon the downloads server to pull these artefacts. In fact, this is exactly what we're already hoping to do for Windows downloads too. Having it all in one place is probably even better (and easier). Of course, having CI make the tarballs means we need to trust that CI isn't compromised ;-). cheers, Derick -- https://derickrethans.nl | https://xdebug.org | https://dram.io Author of Xdebug. Like it? Consider supporting me: https://xdebug.org/support mastodon: @derickr@phpc.social @xdebug@phpc.social
