You might consider requiring commits be signed while you're at it. On Sun, Mar 28, 2021 at 3:53 PM Nikita Popov <nikita....@gmail.com> wrote: > > Hi everyone, > > Yesterday (2021-03-28) two malicious commits were pushed to the php-src > repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how > exactly this happened, but everything points towards a compromise of the > git.php.net server (rather than a compromise of an individual git account). > > While investigation is still underway, we have decided that maintaining our > own git infrastructure is an unnecessary security risk, and that we will > discontinue the git.php.net server. Instead, the repositories on GitHub, > which were previously only mirrors, will become canonical. This means that > changes should be pushed directly to GitHub rather than to git.php.net. > > While previously write access to repositories was handled through our > home-grown karma system, you will now need to be part of the php > organization on GitHub. If you are not part of the organization yet, or > don't have access to a repository you should have access to, contact me at > ni...@php.net with your php.net and GitHub account names, as well as the > permissions you're currently missing. Membership in the organization > requires 2FA to be enabled. > > This change also means that it is now possible to merge pull requests > directly from the GitHub web interface. > > We're reviewing the repositories for any corruption beyond the two > referenced commits. Please contact secur...@php.net if you notice anything. > > Regards, > Nikita > > [1]: > https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d > and > https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
