On Mon, 2014-09-29 at 18:35 +0200, Pierre Schmitz wrote: > Am 29.09.2014 17:04, schrieb Johannes Schlüter: > > On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: > >> >> Actually, some php.net machines have been compromised and prevent us > >> >> from releasing 5.6.1. > > [...] > > Q: Is the git repo affected? > > A: No. The infected box is a different one. git's cryptographic commit > > identifiers and distributed antature along with out automatic mirroring > > to github serve as further mitigation for potential issues. > > This sounds like it wont be that bad of an idea to build directly from a > git tag if you know how. Together with signed tags this should be more > trustworthy imho. I don't see a huge downside here.
In a general case this might lead to issues due to different behavior by different autoconf or bison or whatever versions. The issues might go from failing builds over slightly different error message on parse errors to something completely weird. In recent years we had little of these issues ... so if you feel confident with using git, buildconf and these extra tools you can do that. > I wonder if one could replace that release server with a simple vagrant > setup or similar so the RM can actually create release archives on his > own. Still you have to make sure the base box image and puppet (or such) scripts are hosted on a proper box. Might be good if somebody looks into this, when doing mind that snaps should be created using the same toolchain. johannes
signature.asc
Description: This is a digitally signed message part
