CommunityNews

CommunityNews

Malicious Commits to PHPs Git Repository

Hi everyone,

Yesterday (2021-03-28) two malicious commits were pushed to the php-src
repo [1] from the names of Rasmus Lerdorf and myself. We don’t yet know how
exactly this happened, but everything points towards a compromise of the
git.php.net server (rather than a compromise of an individual git account).

While investigation is still underway, we have decided that maintaining our
own git infrastructure is an unnecessary security risk, and that we will
discontinue the git.php.net server. Instead, the repositories on GitHub,
which were previously only mirrors, will become canonical. This means that
changes should be pushed directly to GitHub rather than to git.php.net.

While previously write access to repositories was handled through our
home-grown karma system, you will now need to be part of the php
organization on GitHub. If you are not part of the organization yet, or
don’t have access to a repository you should have access to, contact me at
nikic@php.net with your php.net and GitHub account names, as well as the
permissions you’re currently missing. Membership in the organization
requires 2FA to be enabled.

This change also means that it is now possible to merge pull requests
directly from the GitHub web interface.

We’re reviewing the repositories for any corruption beyond the two
referenced commits. Please contact security@php.net if you notice anything.

Regards,
Nikita

[1]
[skip-ci] Fix typo · php/php-src@c730aa2 · GitHub
and
Revert "Revert "[skip-ci] Fix typo"" · php/php-src@2b0f239 · GitHub

https://news-web.php.net/php.internals/113838

This thread was posted by one of our members via one of our news source trackers.

Where Next?

Popular Backend topics Top

bot
A new Python blog post/announcement has been posted! Get the full details here: http://feedproxy.google.com/~r/PythonInsider/~3/1uMoG-S...
New
bot
Kotlin v1.4.20-M1 has been released. Link: Release Kotlin 1.4.20-M1 · JetBrains/kotlin · GitHub
New
First poster: bot
Node.js v12.20.0, v15.3.0 and v14.15.1 has been released. Link: Release 2020-11-24, Version 12.20.0 'Erbium' (LTS), @mylesborins · node...
New
First poster: bot
Quarkus 1.10.3.Final has been released. Link: Release 1.10.3.Final · quarkusio/quarkus · GitHub
New
First poster: bot
Ruby on Rails v6.1.0 has been released. Link: Release 6.1.0 · rails/rails · GitHub
New
First poster: bot
phel-lang/phel-lang. Phel is a functional programming language that compiles to PHP. It is a dialect of Lisp inspired by Clojure and Jan...
New
First poster: bot
A new Crystal blog post/announcement has been posted! Get the full details here: https://crystal-lang.org/2021/04/22/crystal-conference...
New
First poster: bot
Node.js v14.18.2 has been released. Link: Release 2021-11-30, Version 14.18.2 'Fermium' (LTS), @richardlau · nodejs/node · GitHub
New
First poster: bot
A new PostgreSQL blog post/announcement has been posted! Get the full details here: PostgreSQL: New podcast Postgres FM
New
First poster: AstonJ
A new Python blog post/announcement has been posted! Get the full details here: Python Insider: Python 3.13.5 is now available!
New

Other popular topics Top

AstonJ
Curious to know which languages and frameworks you’re all thinking about learning next :upside_down_face: Perhaps if there’s enough peop...
New
New
Rainer
Not sure if following fits exactly this thread, or if we should have a hobby thread… For many years I’m designing and building model air...
New
wmnnd
Here’s the story how one of the world’s first production deployments of LiveView came to be - and how trying to improve it almost caused ...
New
PragmaticBookshelf
Create efficient, elegant software tests in pytest, Python's most powerful testing framework. Brian Okken @brianokken Edited by Kat...
New
First poster: joeb
The File System Access API with Origin Private File System. WebKit supports new API that makes it possible for web apps to create, open,...
New
PragmaticBookshelf
Author Spotlight Rebecca Skinner @RebeccaSkinner Welcome to our latest author spotlight, where we sit down with Rebecca Skinner, auth...
New
PragmaticBookshelf
Programming Ruby is the most complete book on Ruby, covering both the language itself and the standard library as well as commonly used t...
New
New
AstonJ
This is a very quick guide, you just need to: Download LM Studio: https://lmstudio.ai/ Click on search Type DeepSeek, then select the o...
New