CommunityNews

CommunityNews

Malicious Commits to PHPs Git Repository

Hi everyone,

Yesterday (2021-03-28) two malicious commits were pushed to the php-src
repo [1] from the names of Rasmus Lerdorf and myself. We don’t yet know how
exactly this happened, but everything points towards a compromise of the
git.php.net server (rather than a compromise of an individual git account).

While investigation is still underway, we have decided that maintaining our
own git infrastructure is an unnecessary security risk, and that we will
discontinue the git.php.net server. Instead, the repositories on GitHub,
which were previously only mirrors, will become canonical. This means that
changes should be pushed directly to GitHub rather than to git.php.net.

While previously write access to repositories was handled through our
home-grown karma system, you will now need to be part of the php
organization on GitHub. If you are not part of the organization yet, or
don’t have access to a repository you should have access to, contact me at
nikic@php.net with your php.net and GitHub account names, as well as the
permissions you’re currently missing. Membership in the organization
requires 2FA to be enabled.

This change also means that it is now possible to merge pull requests
directly from the GitHub web interface.

We’re reviewing the repositories for any corruption beyond the two
referenced commits. Please contact security@php.net if you notice anything.

Regards,
Nikita

[1]
[skip-ci] Fix typo · php/php-src@c730aa2 · GitHub
and
Revert "Revert "[skip-ci] Fix typo"" · php/php-src@2b0f239 · GitHub

https://news-web.php.net/php.internals/113838

This thread was posted by one of our members via one of our news source trackers.

Where Next?

Popular Backend topics Top

First poster: bot
Integrated Haskell Platform v20201127 has been released. Link: Release Beta 27.11.2020 · digitallyinduced/ihp · GitHub
New
New
NewsBot
A new PostgreSQL blog post/announcement has been posted! Get the full details here: PostgreSQL: Announcing the release of Apache AGE 0.3.0
New
First poster: bot
Julia v1.5.4 has been released. Link: Release v1.5.4 · JuliaLang/julia · GitHub
New
First poster: bot
A new Lunatic blog post/announcement has been posted! Get the full details here: https://lunatic.solutions/lunatic-chat/
New
First poster: bot
Kotlin v1.6.10 has been released. Link: Release Kotlin 1.6.10 · JetBrains/kotlin · GitHub
New
First poster: bot
A new Go blog post/announcement has been posted! Get the full details here: Go 1.18 Beta 1 is available, with generics - The Go Program...
New
First poster: bot
Spring v6.0.0-M1 has been released. Link: Release v6.0.0-M1 · spring-projects/spring-framework · GitHub
New
First poster: bot
A new Rust blog post/announcement has been posted! Get the full details here: Security advisory for the regex crate (CVE-2022-24713) | ...
New
NewsBot
Node.js v24.0.0 has been released. Link: Release 2025-05-06, Version 24.0.0 (Current), @RafaelGSS and @juanarbol · nodejs/node · GitHub
New

Other popular topics Top

dasdom
No chair. I have a standing desk. This post was split into a dedicated thread from our thread about chairs :slight_smile:
New
AstonJ
I’ve been hearing quite a lot of comments relating to the sound of a keyboard, with one of the most desirable of these called ‘thock’, he...
New
AstonJ
I ended up cancelling my Moonlander order as I think it’s just going to be a bit too bulky for me. I think the Planck and the Preonic (o...
New
Exadra37
I am asking for any distro that only has the bare-bones to be able to get a shell in the server and then just install the packages as we ...
New
AstonJ
If you are experiencing Rails console using 100% CPU on your dev machine, then updating your development and test gems might fix the issu...
New
AstonJ
Continuing the discussion from Thinking about learning Crystal, let’s discuss - I was wondering which languages don’t GC - maybe we can c...
New
mafinar
This is going to be a long an frequently posted thread. While talking to a friend of mine who has taken data structure and algorithm cou...
New
AstonJ
If you want a quick and easy way to block any website on your Mac using Little Snitch simply… File > New Rule: And select Deny, O...
New
CommunityNews
A Brief Review of the Minisforum V3 AMD Tablet. Update: I have created an awesome-minisforum-v3 GitHub repository to list information fo...
New
AstonJ
Curious what kind of results others are getting, I think actually prefer the 7B model to the 32B model, not only is it faster but the qua...
New