Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Hi, On Tue, Apr 2, 2024 at 7:14 PM Stanislav Malyshev wrote: > Hi! > > That is something PHP is missing atm, no one can verify the build process >> for releases. >> > > Yes that's what I was suggesting. This should be done by RM. In that way, > the RM becomes more someone that verifies the

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Hi! That is something PHP is missing atm, no one can verify the build process for releases. Yes that's what I was suggesting. This should be done by RM. In that way, the RM becomes more someone that verifies the build and not the actual person that provides the build. I'm not

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

internals+unsubscr...@lists.php.net - 550 5.7.1 Looks like spam to me. Can't unsub...? Den tis 2 apr. 2024 kl 16:46 skrev Jakub Zelenka : > On Tue, Apr 2, 2024 at 3:35 PM tag Knife wrote: > >> >> On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka wrote: >> >>> We will still need RM to sign the build

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On Tue, Apr 2, 2024 at 3:35 PM tag Knife wrote: > > On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka wrote: > >> We will still need RM to sign the build so ideally we should make it >> reproducible so RM can verify that CI produced expected build and then sign >> it and just upload the signatures

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On Tue, 2 Apr 2024 at 14:53, Jakub Zelenka wrote: > We will still need RM to sign the build so ideally we should make it > reproducible so RM can verify that CI produced expected build and then sign > it and just upload the signatures (not sure if we actually need signature > uploaded or if they

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Hi, On Tue, Apr 2, 2024 at 2:36 PM Derick Rethans wrote: > On Sat, 30 Mar 2024, Jakub Zelenka wrote: > > > On Sat, Mar 30, 2024 at 7:08 AM Marco Pivetta > wrote: > > > > > > I understand that the XZ project had signed releases too: that still > > > means that downstream consumers would need to

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On Sat, 30 Mar 2024, Jakub Zelenka wrote: > On Sat, Mar 30, 2024 at 7:08 AM Marco Pivetta wrote: > > > > I understand that the XZ project had signed releases too: that still > > means that downstream consumers would need to trust the release > > managers anyway, and reproduce the whole chain

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On Mon, Apr 1, 2024 at 1:53 AM Ben Ramsey wrote: > > > On Mar 31, 2024, at 11:08, Robert Landers wrote: > > > > There are probably multiple parties that require trust: the people > > hosting the CI servers, the people with access to the CI servers, the > > RM, and maybe more that I can't think

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

> On Mar 31, 2024, at 11:08, Robert Landers wrote: > > There are probably multiple parties that require trust: the people > hosting the CI servers, the people with access to the CI servers, the > RM, and maybe more that I can't think of right now. > > One option would be to have > > - CI push

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On Sun, Mar 31, 2024 at 5:26 PM Christian Schneider wrote: > > Am 30.03.2024 um 16:35 schrieb Daniil Gentili : > >> That would break lots of tools as it requires extra dependencies so it is > >> not something that would could in stable versions. > > Btw, I do not believe that "it would require

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On 31/03/2024 14:53, Christian Schneider wrote: But my main question is: I fail to see the difference whether I plant my malicious code in configure, configure.ac or *.c: Someone has to review the changes and notice the problem. And we have to trust the RMs. What am I missing? As I

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Am 30.03.2024 um 16:35 schrieb Daniil Gentili : >> That would break lots of tools as it requires extra dependencies so it is >> not something that would could in stable versions. > Btw, I do not believe that "it would require end users to install autotools > and bison in order to compile PHP

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On Sat, Mar 30, 2024 at 5:46 PM Ben Ramsey wrote: > On Mar 30, 2024, at 07:03, Jakub Zelenka wrote: > >  > Hi, > > On Sat, Mar 30, 2024 at 7:08 AM Marco Pivetta wrote: > >> >> >> On Sat, 30 Mar 2024, 05:19 Ben Ramsey, wrote: >> >>> On Mar 29, 2024, at 20:20, Bob Weinand wrote: >>> >>>  >>>

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Hi, On Sat, Mar 30, 2024 at 3:33 PM Daniil Gentili wrote: > It is also pretty standard thing to distribute configure files (which is > the file that probably matters most). > > The current standard way of distributing generated configure files in > tarballs is precisely what allowed the xz

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On Mar 30, 2024, at 07:03, Jakub Zelenka wrote:Hi,On Sat, Mar 30, 2024 at 7:08 AM Marco Pivetta wrote:On Sat, 30 Mar 2024, 05:19 Ben Ramsey, wrote:On Mar 29, 2024, at 20:20, Bob Weinand wrote: On 29.3.2024 23:31:26,

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

That would break lots of tools as it requires extra dependencies so it is not something that would could in stable versions. Btw, I do not believe that "it would require end users to install autotools and bison in order to compile PHP from tarballs" is valid reason to delay the patching of

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Hi, It is also pretty standard thing to distribute configure files (which is the file that probably matters most). The current standard way of distributing generated configure files in tarballs is precisely what allowed the xz supply chain attack to go unnoticed for so long. I strongly

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On Sat, Mar 30, 2024 at 12:03 PM Jakub Zelenka wrote: > Hi, > > On Sat, Mar 30, 2024 at 7:08 AM Marco Pivetta wrote: > >> >> >> On Sat, 30 Mar 2024, 05:19 Ben Ramsey, wrote: >> >>> On Mar 29, 2024, at 20:20, Bob Weinand wrote: >>> >>>  >>> On 29.3.2024 23:31:26, Daniil Gentili wrote: >>> >>>

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Hi On Sat, Mar 30, 2024 at 1:39 PM Daniil Gentili wrote: > Hi, > > > >The idea is that we would setup worklfow on CI that would run on tag push > and it would call (authenticated https request) downloads.php.net server > that could do the actual build > > I strongly believe that source tarballs

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Hi On 3/30/24 14:20, Stanislav Malyshev wrote: But does the release manager generate the files (and the tarball) in a reproducible way? I understand that's what ./scripts/dev/makedist and ./scripts/dev/genfiles do, but I suspect exact bits in resulting configure and lexers may depend on the

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Hi, >The idea is that we would setup worklfow on CI that would run on tag push and it would call (authenticated https request) downloads.php.net server that could do the actual build I strongly believe that source tarballs should contain *only* the source code

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Hi! On 3/30/24 1:27 AM, Sebastian Bergmann wrote: Am 30.03.2024 um 05:17 schrieb Ben Ramsey: This is also why our release managers sign the tarballs with their own GPG keys, after generating the artifacts. This verifies the release manager was the one who generated the files. But does the

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Hi, On Sat, Mar 30, 2024 at 7:08 AM Marco Pivetta wrote: > > > On Sat, 30 Mar 2024, 05:19 Ben Ramsey, wrote: > >> On Mar 29, 2024, at 20:20, Bob Weinand wrote: >> >>  >> On 29.3.2024 23:31:26, Daniil Gentili wrote: >> >> In light of the recent supply chain attack in xz/lzma, leading to a >>

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

Am 30.03.2024 um 05:17 schrieb Ben Ramsey: This is also why our release managers sign the tarballs with their own GPG keys, after generating the artifacts. This verifies the release manager was the one who generated the files. But does the release manager generate the files (and the tarball)

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On Sat, 30 Mar 2024, 05:19 Ben Ramsey, wrote: > On Mar 29, 2024, at 20:20, Bob Weinand wrote: > >  > On 29.3.2024 23:31:26, Daniil Gentili wrote: > > In light of the recent supply chain attack in xz/lzma, leading to a > backdoor in openSSH ( >

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On Mar 29, 2024, at 20:20, Bob Weinand wrote: On 29.3.2024 23:31:26, Daniil Gentili wrote: In light of the recent supply chain attack in xz/lzma, leading to a backdoor in openSSH

Re: [PHP-DEV] Consider removing autogenerated files from tarballs

On 29.3.2024 23:31:26, Daniil Gentili wrote: In light of the recent supply chain attack in xz/lzma, leading to a backdoor in openSSH (https://www.openwall.com/lists/oss-security/2024/03/29/4), I believe that it would be a good idea to remove the huge attack surface offered by the

[PHP-DEV] Consider removing autogenerated files from tarballs

In light of the recent supply chain attack in xz/lzma, leading to a backdoor in openSSH (https://www.openwall.com/lists/oss-security/2024/03/29/4), I believe that it would be a good idea to remove the huge attack surface offered by the pre-generated autoconf build scripts and lexers, offered in