Hi, On Tue, Apr 2, 2024 at 7:14 PM Stanislav Malyshev <smalys...@gmail.com> wrote:
> Hi! > > That is something PHP is missing atm, no one can verify the build process >> for releases. >> > > Yes that's what I was suggesting. This should be done by RM. In that way, > the RM becomes more someone that verifies the build and not the actual > person that provides the build. > > I'm not sure though how the RM can really verify it. I mean, we have the > tar blob that comes from the git repo - which we assume is legit. We also > have some files that aren't in the repo. If RM builds them by themselves > then the question comes up what if RM's environment is compromised and > something bad is injected. If RM receives the files from outside source, > how the RM verifies they are genuine? I don't think reading through the > whole "configure" file and verifying it's not bad is realistic for any > person. And from what I understand, "configure" and such are quite > environment-dependant, so you can't just have a standard hash to compare > to. You can't have the RM to just run "buildconf" again and do hash check > because they may get different bits than the ones coming from the outside, > like CI. I dunno, maybe if we had some kind of Docker image for generating > it that would produce reproducible result, that'd be possible? Otherwise I > am still not sure how the verification procedure looks like. > Yeah as I already noted that it needs to be reproducible so the RM would need to have exactly the same version of all build tools as used in CI. I think the only option would be to use Docker image for that. We could then use the same image in CI (job container). In such way we should be able to implement the same process (there might some extra bits to do but I think it should be doable in general). We could potentially store the produced hashes to some CI artifact and possibly also make it available from the downloads server (once downloaded from CI) so the RM could have a script that just automatically compare all hashes. So the ideal scenario would be that RM just runs a command that will do all for them. > Right now as I understand we're simply trusting the RM that they have > uncompromised environment and third parties have no way to verify it's the > case. But I guess it's time we do better? > Yes exactly that. Currently the RM can change the build as they want so if they are compromised, then we might have the same issue that happened to XZ. Regards Jakub
