On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka <bu...@php.net> wrote: > We will still need RM to sign the build so ideally we should make it > reproducible so RM can verify that CI produced expected build and then sign > it and just upload the signatures (not sure if we actually need signature > uploaded or if they are used just in announcements). > > I think this should then prevent compromise of the RM and CI unless CI is > compromised by RM, of course, but that should be very unlikely. > > Regards > > Jakub > > On the side of the CI being compromised, this does happen, typically with authed private hosted CI, like jenkins. But if its open and accessible to everyone to monitor, such as github actions, everyone can monitor and audit the build logs to verify the commands ran and nothing unexpected happened during build.
That is something PHP is missing atm, no one can verify the build process for releases.
