On Tue, Apr 2, 2024 at 3:35 PM tag Knife <fennic...@gmail.com> wrote:
> > On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka <bu...@php.net> wrote: > >> We will still need RM to sign the build so ideally we should make it >> reproducible so RM can verify that CI produced expected build and then sign >> it and just upload the signatures (not sure if we actually need signature >> uploaded or if they are used just in announcements). >> >> I think this should then prevent compromise of the RM and CI unless CI is >> compromised by RM, of course, but that should be very unlikely. >> >> Regards >> >> Jakub >> >> > On the side of the CI being compromised, this does happen, typically with > authed > private hosted CI, like jenkins. But if its open and accessible to > everyone to monitor, such > as github actions, everyone can monitor and audit the build logs to verify > the commands > ran and nothing unexpected happened during build. > > That is something PHP is missing atm, no one can verify the build process > for releases. > Yes that's what I was suggesting. This should be done by RM. In that way, the RM becomes more someone that verifies the build and not the actual person that provides the build. Regards Jakub
