CommunityNews

CommunityNews

Malicious Commits to PHPs Git Repository

Hi everyone,

Yesterday (2021-03-28) two malicious commits were pushed to the php-src
repo [1] from the names of Rasmus Lerdorf and myself. We don’t yet know how
exactly this happened, but everything points towards a compromise of the
git.php.net server (rather than a compromise of an individual git account).

While investigation is still underway, we have decided that maintaining our
own git infrastructure is an unnecessary security risk, and that we will
discontinue the git.php.net server. Instead, the repositories on GitHub,
which were previously only mirrors, will become canonical. This means that
changes should be pushed directly to GitHub rather than to git.php.net.

While previously write access to repositories was handled through our
home-grown karma system, you will now need to be part of the php
organization on GitHub. If you are not part of the organization yet, or
don’t have access to a repository you should have access to, contact me at
nikic@php.net with your php.net and GitHub account names, as well as the
permissions you’re currently missing. Membership in the organization
requires 2FA to be enabled.

This change also means that it is now possible to merge pull requests
directly from the GitHub web interface.

We’re reviewing the repositories for any corruption beyond the two
referenced commits. Please contact security@php.net if you notice anything.

Regards,
Nikita

[1]
[skip-ci] Fix typo · php/php-src@c730aa2 · GitHub
and
Revert "Revert "[skip-ci] Fix typo"" · php/php-src@2b0f239 · GitHub

https://news-web.php.net/php.internals/113838

This thread was posted by one of our members via one of our news source trackers.

Where Next?

Popular Backend topics Top

First poster: bot
Spring v5.3.0 has been released. Link: Release v5.3.0 · spring-projects/spring-framework · GitHub
New
First poster: bot
Quarkus 1.9.1.Final has been released. Link: Release 1.9.1.Final · quarkusio/quarkus · GitHub
New
First poster: bot
Quarkus 1.10.0.CR1 has been released. Link: Release 1.10.0.CR1 · quarkusio/quarkus · GitHub
New
First poster: bot
Scala v2.13.6 has been released. Link: Release Scala 2.13.6 · scala/scala · GitHub
New
First poster: OvermindDL1
A new Lunatic blog post/announcement has been posted! Get the full details here: https://lunatic.solutions/writing-rust-the-elixir-way/
New
First poster: bot
Node.js v14.18.3 and v12.22.9 has been released. Link: Release 2022-01-10, Version 14.18.3 'Fermium' (LTS), @richardlau · nodejs/node ·...
New
First poster: bot
Julia v1.8.0-beta1 has been released. Link: Release v1.8.0-beta1 · JuliaLang/julia · GitHub
New
First poster: bot
Node.js v18.16.0 has been released. Link: Release 2023-04-12, Version 18.16.0 'Hydrogen' (LTS), @danielleadams · nodejs/node · GitHub
New
NewsBot
Zig 0.14.1 has been released. Link: Release 0.14.1 · ziglang/zig · GitHub
New
NewsBot
Node.js v24.7.0 has been released. Link: Release 2025-08-27, Version 24.7.0 (Current), @targos · nodejs/node · GitHub
New

Other popular topics Top

Exadra37
I am thinking in building or buy a desktop computer for programing, both professionally and on my free time, and my choice of OS is Linux...
New
AstonJ
Curious to know which languages and frameworks you’re all thinking about learning next :upside_down_face: Perhaps if there’s enough peop...
New
PragmaticBookshelf
Build highly interactive applications without ever leaving Elixir, the way the experts do. Let LiveView take care of performance, scalabi...
New
PragmaticBookshelf
Rails 7 completely redefines what it means to produce fantastic user experiences and provides a way to achieve all the benefits of single...
New
PragmaticBookshelf
Build efficient applications that exploit the unique benefits of a pure functional language, learning from an engineer who uses Haskell t...
New
New
New
First poster: bot
zig/http.zig at 7cf2cbb33ef34c1d211135f56d30fe23b6cacd42 · ziglang/zig. General-purpose programming language and toolchain for maintaini...
New
PragmaticBookshelf
Explore the power of Ash Framework by modeling and building the domain for a real-world web application. Rebecca Le @sevenseacat and ...
New
mindriot
Ok, well here are some thoughts and opinions on some of the ergonomic keyboards I have, I guess like mini review of each that I use enoug...
New