Am 29.09.2014 17:04, schrieb Johannes Schlüter:
On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote:
>> Actually, some php.net machines have been compromised and prevent us
>> from releasing 5.6.1.
[...]
Q: Is the git repo affected?
A: No. The infected box is a different one. git's cryptographic commit
identifiers and distributed antature along with out automatic mirroring
to github serve as further mitigation for potential issues.
This sounds like it wont be that bad of an idea to build directly from a
git tag if you know how. Together with signed tags this should be more
trustworthy imho. I don't see a huge downside here.
I wonder if one could replace that release server with a simple vagrant
setup or similar so the RM can actually create release archives on his
own.
Greetings,
Pierre
--
Pierre Schmitz, https://pierre-schmitz.com
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
