Hi,
> -----Original Message----- > From: Johannes Schlüter [mailto:johan...@schlueters.de] > > On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: > > >> Actually, some php.net machines have been compromised and prevent > > >> us from releasing 5.6.1. > [...] > > All the source and binary releases along with git is safe. > > To be more precise: The machine used to package up the releases show > some traces of an infection. recent releases are being reviewed and show no > traces of anything being injected there, still we are not comfortable with > using the box to build new tarballs ;) > > Short FAQ: > > Q: Is the git repo affected? > A: No. The infected box is a different one. git's cryptographic commit > identifiers and distributed antature along with out automatic mirroring to > github serve as further mitigation for potential issues. > > Q: Are downloads from php.net/downloads affected? > A: The attack would happen during creating the release tarballs. Recent > releases are being reviewed and show no traces of modifications. > > Q: Are downloads from windows.php.net affected? > A: Windows builds are created from release tarballs. If those were infected > this might affect Windows, too. But no such infection could be found. The answer is No. We always pull from git.php.net for new releases. We also scan all releases before posted them. RMs, please let me know if you'd like me to pull the bins on windows.php.net, or if you're not planning on retagging we can just sit tight and wait for the official announcement. > > Q: Are snaps or RC releases affected? > A: I do not know, but know of no traces. The Windows build machines pull from git directly for snapshot and RC builds too. Thanks! Steve
