Re: [PHP-DEV] Re: Changes to Git commit workflow
On Thu, Apr 1, 2021 at 2:59 AM Sebastian Bergmann wrote: > Am 01.04.2021 um 09:58 schrieb Jan Ehrhardt: > > Will PHP 8.0.4 and 7.4.17 be postponed because of this? They haven't been > > released yet. The usual day for tagging always was Tuesday or Wednesday. > > Yes, see https://twitter.com/official_php/status/1377339882645905408 > > Or even the front page of php.net, this was announced on Tuesday when tagging normally would have taken place. -Sara
Re: [PHP-DEV] Re: Changes to Git commit workflow
Am 01.04.2021 um 09:58 schrieb Jan Ehrhardt: Will PHP 8.0.4 and 7.4.17 be postponed because of this? They haven't been released yet. The usual day for tagging always was Tuesday or Wednesday. Yes, see https://twitter.com/official_php/status/1377339882645905408 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
[PHP-DEV] Re: Changes to Git commit workflow
Nikita Popov in php.internals (Mon, 29 Mar 2021 00:52:24 +0200): >We're reviewing the repositories for any corruption beyond the two >referenced commits. Will PHP 8.0.4 and 7.4.17 be postponed because of this? They haven't been released yet. The usual day for tagging always was Tuesday or Wednesday. -- Jan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
[PHP-DEV] Re: Changes to Git commit workflow Nikita Popov
Den 2021-03-29 kl. 23:10, skrev Benjamin Morel: Hi everyone, Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account). That is scary. Can you disclose the contents of the commits? Are they specially designed to open a security hole, or to be harmful in another way? An article from The Hacker News and a tweet from Zerodium about the incident: -https://thehackernews.com/2021/03/phps-git-server-hacked-to-insert-secret.html -https://twitter.com/cBekrar/status/1376469666084757506 r//Björn L -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
[PHP-DEV] Re: Changes to Git commit workflow
> > Hi everyone, > > Yesterday (2021-03-28) two malicious commits were pushed to the php-src > repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how > exactly this happened, but everything points towards a compromise of the > git.php.net server (rather than a compromise of an individual git > account). > That is scary. Can you disclose the contents of the commits? Are they specially designed to open a security hole, or to be harmful in another way? > While investigation is still underway, we have decided that maintaining > our own git infrastructure is an unnecessary security risk, and that we > will discontinue the git.php.net server. Instead, the repositories on > GitHub, which were previously only mirrors, will become canonical. This > means that changes should be pushed directly to GitHub rather than to > git.php.net. > This change will be welcome anyway! — Benjamin
[PHP-DEV] Re: Changes to Git commit workflow
Den man. 29. mar. 2021 kl. 01.52 skrev Nikita Popov : > While previously write access to repositories was handled through our > home-grown karma system, you will now need to be part of the php organization > on GitHub. If you are not part of the organization yet, or don't have access > to a repository you should have access to, contact me at ni...@php.net with > your php.net and GitHub account names, as well as the permissions you're > currently missing. Membership in the organization requires 2FA to be enabled. How will this work for SVNROOT karma holders to grant karma to others going forward? -- regards, Kalle Sommer Nielsen ka...@php.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
[PHP-DEV] Re: Changes to Git commit workflow
On Mon, Mar 29, 2021 at 12:52 AM Nikita Popov wrote: > Hi everyone, > > Yesterday (2021-03-28) two malicious commits were pushed to the php-src > repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how > exactly this happened, but everything points towards a compromise of the > git.php.net server (rather than a compromise of an individual git > account). > > While investigation is still underway, we have decided that maintaining > our own git infrastructure is an unnecessary security risk, and that we > will discontinue the git.php.net server. Instead, the repositories on > GitHub, which were previously only mirrors, will become canonical. This > means that changes should be pushed directly to GitHub rather than to > git.php.net. > > While previously write access to repositories was handled through our > home-grown karma system, you will now need to be part of the php > organization on GitHub. If you are not part of the organization yet, or > don't have access to a repository you should have access to, contact me at > ni...@php.net with your php.net and GitHub account names, as well as the > permissions you're currently missing. Membership in the organization > requires 2FA to be enabled. > > This change also means that it is now possible to merge pull requests > directly from the GitHub web interface. > > We're reviewing the repositories for any corruption beyond the two > referenced commits. Please contact secur...@php.net if you notice > anything. > > Regards, > Nikita > Assuming you do already have write access on GitHub, you can change the upstream repository of your local clone by running "git remote set-url origin g...@github.com:php/php-src.git" (replacing php/php-src with the repository in question). Nikita
