[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-internals
Subject:    Re: [PHP-DEV] Re: What happened to the 5.6.1 =?UTF-8?Q?release=3F?=
From:       Pierre Schmitz <pierre () archlinux ! de>
Date:       2014-09-29 16:35:50
Message-ID: de33d80f16d5777b8883f3ca72dfa653 () archlinux ! de
[Download RAW message or body]

Am 29.09.2014 17:04, schrieb Johannes Schlüter:
> On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote:
>> >> Actually, some php.net machines have been compromised and prevent us
>> >> from releasing 5.6.1.
> [...]
> Q: Is the git repo affected?
> A: No. The infected box is a different one. git's cryptographic commit
> identifiers and distributed antature along with out automatic mirroring
> to github serve as further mitigation for potential issues.

This sounds like it wont be that bad of an idea to build directly from a 
git tag if you know how. Together with signed tags this should be more 
trustworthy imho. I don't see a huge downside here.

I wonder if one could replace that release server with a simple vagrant 
setup or similar so the RM can actually create release archives on his 
own.

Greetings,

Pierre

-- 
Pierre Schmitz, https://pierre-schmitz.com

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

[prev in list] [next in list] [prev in thread] [next in thread]