CommunityNews

CommunityNews

Malicious Commits to PHPs Git Repository

Hi everyone,

Yesterday (2021-03-28) two malicious commits were pushed to the php-src
repo [1] from the names of Rasmus Lerdorf and myself. We don’t yet know how
exactly this happened, but everything points towards a compromise of the
git.php.net server (rather than a compromise of an individual git account).

While investigation is still underway, we have decided that maintaining our
own git infrastructure is an unnecessary security risk, and that we will
discontinue the git.php.net server. Instead, the repositories on GitHub,
which were previously only mirrors, will become canonical. This means that
changes should be pushed directly to GitHub rather than to git.php.net.

While previously write access to repositories was handled through our
home-grown karma system, you will now need to be part of the php
organization on GitHub. If you are not part of the organization yet, or
don’t have access to a repository you should have access to, contact me at
nikic@php.net with your php.net and GitHub account names, as well as the
permissions you’re currently missing. Membership in the organization
requires 2FA to be enabled.

This change also means that it is now possible to merge pull requests
directly from the GitHub web interface.

We’re reviewing the repositories for any corruption beyond the two
referenced commits. Please contact security@php.net if you notice anything.

Regards,
Nikita

[1]
[skip-ci] Fix typo · php/php-src@c730aa2 · GitHub
and
Revert "Revert "[skip-ci] Fix typo"" · php/php-src@2b0f239 · GitHub

https://news-web.php.net/php.internals/113838

This thread was posted by one of our members via one of our news source trackers.

Where Next?

Popular Backend topics Top

lpil
Hi everyone! v0.10 of Gleam is out now! :tada: Here’s a blog post going over the main additions: https://lpil.uk/blog/gleam-v0.10-releas...
New
First poster: bot
Quarkus 1.10.3.Final has been released. Link: Release 1.10.3.Final · quarkusio/quarkus · GitHub
New
First poster: bot
Spring v5.1.20.RELEASE, v5.2.12.RELEASE and v5.3.2 has been released. Link: Release v5.1.20.RELEASE · spring-projects/spring-framework ...
New
First poster: bot
Node.js v15.10.0, v14.16.0 and v12.21.0 has been released. Link: https://github.com/nodejs/node/releases/tag/v15.10.0 Link: Release 2...
New
First poster: bot
V weekly.2021.13 has been released. Link: Release weekly.2021.13 · vlang/v · GitHub
New
First poster: bot
Node.js v12.22.0 has been released. Link: Release 2021-03-30, Version 12.22.0 'Erbium' (LTS), @richardlau · nodejs/node · GitHub
New
NewsBot
A new Erlang blog post/announcement has been posted! Get the full details here: Erlang/OTP 24 Highlights - Erlang/OTP
New
First poster: OvermindDL1
A new Lunatic blog post/announcement has been posted! Get the full details here: https://lunatic.solutions/writing-rust-the-elixir-way/
New
First poster: bot
Ruby on Rails v7.0.0.rc1 has been released. Link: Release 7.0.0.rc1 · rails/rails · GitHub
New
NewsBot
Node.js v21.6.2, v20.11.1 and v18.19.1 has been released. Link: Release 2024-02-14, Version 21.6.2 (Current), @RafaelGSS · nodejs/node ...
New

Other popular topics Top

AstonJ
If it’s a mechanical keyboard, which switches do you have? Would you recommend it? Why? What will your next keyboard be? Pics always w...
New
DevotionGeo
I know that these benchmarks might not be the exact picture of real-world scenario, but still I expect a Rust web framework performing a ...
New
AstonJ
I ended up cancelling my Moonlander order as I think it’s just going to be a bit too bulky for me. I think the Planck and the Preonic (o...
New
Margaret
Hello content creators! Happy new year. What tech topics do you think will be the focus of 2021? My vote for one topic is ethics in tech...
New
PragmaticBookshelf
Build highly interactive applications without ever leaving Elixir, the way the experts do. Let LiveView take care of performance, scalabi...
New
AstonJ
Biggest jackpot ever apparently! :upside_down_face: I don’t (usually) gamble/play the lottery, but working on a program to predict the...
New
PragmaticBookshelf
Build efficient applications that exploit the unique benefits of a pure functional language, learning from an engineer who uses Haskell t...
New
First poster: bot
The overengineered Solution to my Pigeon Problem. TL;DR: I built a wifi-equipped water gun to shoot the pigeons on my balcony, controlle...
New
New
AstonJ
Curious what kind of results others are getting, I think actually prefer the 7B model to the 32B model, not only is it faster but the qua...
New