Hi,
>The idea is that we would setup worklfow on CI that would run on tag push and it would call (authenticated https request) downloads.php.net <http://downloads.php.net> server that could do the actual build
I strongly believe that source tarballs should contain *only* the source code contained in the VCS.
Distributing "half-built" source code (even if it's generated by a CI, and especially by a build server on downloads.php.net, which can be compromised) defeats the reproducibility and transparency purposes of building from source.
> For upstream packagers like distros I'd likely recommend using these tools directly anyway, and not rely on what's in the package.
Distros like arch linux already re-generate the configure scripts from scratch, but I believe that no distinction should be made, *everyone* should get a tarball containing *only* the bare source code, without leaving to the user the choice to re-generate the build files, or use a potentially compromised build script.
Regards, Daniil Gentili.
