Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
On Mon, Sep 29, 2014 at 9:31 PM, Stas Malyshev smalys...@sugarcrm.com wrote: Hi! I wonder if one could replace that release server with a simple vagrant setup or similar so the RM can actually create release archives on his own. I've always packaged 5.4 on my local machine, but it may have a downside of using different bison/automake/etc. version and produce a release that has different compatibility matrix than officially announced. So This is the same to me. AFAIR, we patched the README.RELEASE_PROCESS to explicitely list the requirements, particulary the bison ones, for building on local envs. I've always built my releases on my local machine, with very accurate version of autoconf and bison. Julien.Pauli -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
On Sun, Sep 28, 2014 at 3:45 PM, Jan Ehrhardt php...@ehrhardt.nl wrote: Pierre Schmitz in php.internals (Sun, 28 Sep 2014 08:44:33 +0200): I wonder what happened to the 5.6.1 release. A git tag was pushed 4 days ago but since then no announcement was made nor any tar files of then release were uploaded. The sources are available at http://windows.php.net/download/ Strange that they did not show up at the non WIN32 download page. Is there some security issue that we are not yet aware of? Hello, Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. One should not use the tag and wait for the official announcements. Julien.P -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
Julien Pauli in php.internals (Mon, 29 Sep 2014 12:50:55 +0200): On Sun, Sep 28, 2014 at 3:45 PM, Jan Ehrhardt php...@ehrhardt.nl wrote: The sources are available at http://windows.php.net/download/ Strange that they did not show up at the non WIN32 download page. Is there some security issue that we are not yet aware of? Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. One should not use the tag and wait for the official announcements. What about the Windows binaries at http://windows.php.net/download/ Are they safe? If not, should not they be withdrawn from that server? Jan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
On Mon, Sep 29, 2014 at 1:05 PM, Jan Ehrhardt php...@ehrhardt.nl wrote: Julien Pauli in php.internals (Mon, 29 Sep 2014 12:50:55 +0200): On Sun, Sep 28, 2014 at 3:45 PM, Jan Ehrhardt php...@ehrhardt.nl wrote: The sources are available at http://windows.php.net/download/ Strange that they did not show up at the non WIN32 download page. Is there some security issue that we are not yet aware of? Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. One should not use the tag and wait for the official announcements. What about the Windows binaries at http://windows.php.net/download/ Are they safe? If not, should not they be withdrawn from that server? I think so, but I don't know if we would retag before the release, probably not, but I would suggest people not to download them and wait for official announcement of the release. no official announcement = no release , that simple :-) Julien.P -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
On 29 September 2014 11:50, Julien Pauli jpa...@php.net wrote: Hello, Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. One should not use the tag and wait for the official announcements. Julien.P This is pretty troubling news. We still haven't had the promised postmortem from the last breach, so I hope you'll be more open about this one. Please reach out if any of us can possibly assist. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
On Sep 29, 2014, at 04:05, Jan Ehrhardt php...@ehrhardt.nl wrote: Julien Pauli in php.internals (Mon, 29 Sep 2014 12:50:55 +0200): On Sun, Sep 28, 2014 at 3:45 PM, Jan Ehrhardt php...@ehrhardt.nl wrote: The sources are available at http://windows.php.net/download/ Strange that they did not show up at the non WIN32 download page. Is there some security issue that we are not yet aware of? Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. One should not use the tag and wait for the official announcements. What about the Windows binaries at http://windows.php.net/download/ Are they safe? If not, should not they be withdrawn from that server? All the source and binary releases along with git is safe. And there was no new breach here. It was a box that wasn't properly cleaned up from the previous one and wasn't put behind the ssh bouncer like all the other machines. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. [...] All the source and binary releases along with git is safe. To be more precise: The machine used to package up the releases show some traces of an infection. recent releases are being reviewed and show no traces of anything being injected there, still we are not comfortable with using the box to build new tarballs ;) Short FAQ: Q: Is the git repo affected? A: No. The infected box is a different one. git's cryptographic commit identifiers and distributed antature along with out automatic mirroring to github serve as further mitigation for potential issues. Q: Are downloads from php.net/downloads affected? A: The attack would happen during creating the release tarballs. Recent releases are being reviewed and show no traces of modifications. Q: Are downloads from windows.php.net affected? A: Windows builds are created from release tarballs. If those were infected this might affect Windows, too. But no such infection could be found. Q: Why are release actually build on some server instead of RM's machines? A: The git repository is not directly usable by endusers as it contains only the individual config.m4 files etc. and no complete configure script and only some parsers in raw form and not the generated c file. As we want to ensure reliable behavior we use a machine with specific versions of bison, autoconf and other tools. See the make_dist script in php-src for details what's being made. Q: Are snaps or RC releases affected? A: I do not know, but know of no traces. Q: Are other boxes effected, could the attacker steal credentials? A: Login to the box happens via ssh keypairs so no secret credentials reach the box on login, if a user provided a password (i.e. for running sudo) while the box was infected this might be compromised. This won't affect other php.net systems, though as those are only reachable via specific servers using two-factor-authentification (or actually three-factor: ssh key, ssh key passphrase and one time passcode (RFC6238)) johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DEV] Re: What happened to the 5.6.1 release?
Hi, -Original Message- From: Johannes Schlüter [mailto:johan...@schlueters.de] On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. [...] All the source and binary releases along with git is safe. To be more precise: The machine used to package up the releases show some traces of an infection. recent releases are being reviewed and show no traces of anything being injected there, still we are not comfortable with using the box to build new tarballs ;) Short FAQ: Q: Is the git repo affected? A: No. The infected box is a different one. git's cryptographic commit identifiers and distributed antature along with out automatic mirroring to github serve as further mitigation for potential issues. Q: Are downloads from php.net/downloads affected? A: The attack would happen during creating the release tarballs. Recent releases are being reviewed and show no traces of modifications. Q: Are downloads from windows.php.net affected? A: Windows builds are created from release tarballs. If those were infected this might affect Windows, too. But no such infection could be found. The answer is No. We always pull from git.php.net for new releases. We also scan all releases before posted them. RMs, please let me know if you'd like me to pull the bins on windows.php.net, or if you're not planning on retagging we can just sit tight and wait for the official announcement. Q: Are snaps or RC releases affected? A: I do not know, but know of no traces. The Windows build machines pull from git directly for snapshot and RC builds too. Thanks! Steve
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
On Mon, Sep 29, 2014 at 5:57 PM, Stephen Zarkos stephen.zar...@microsoft.com wrote: Hi, -Original Message- From: Johannes Schlüter [mailto:johan...@schlueters.de] On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. [...] All the source and binary releases along with git is safe. To be more precise: The machine used to package up the releases show some traces of an infection. recent releases are being reviewed and show no traces of anything being injected there, still we are not comfortable with using the box to build new tarballs ;) Short FAQ: Q: Is the git repo affected? A: No. The infected box is a different one. git's cryptographic commit identifiers and distributed antature along with out automatic mirroring to github serve as further mitigation for potential issues. Q: Are downloads from php.net/downloads affected? A: The attack would happen during creating the release tarballs. Recent releases are being reviewed and show no traces of modifications. Q: Are downloads from windows.php.net affected? A: Windows builds are created from release tarballs. If those were infected this might affect Windows, too. But no such infection could be found. The answer is No. We always pull from git.php.net for new releases. We also scan all releases before posted them. RMs, please let me know if you'd like me to pull the bins on windows.php.net, or if you're not planning on retagging we can just sit tight and wait for the official announcement. yes, pull them off for now. Only to be in sync with the official releases, thanks! -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
Am 29.09.2014 17:04, schrieb Johannes Schlüter: On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. [...] Q: Is the git repo affected? A: No. The infected box is a different one. git's cryptographic commit identifiers and distributed antature along with out automatic mirroring to github serve as further mitigation for potential issues. This sounds like it wont be that bad of an idea to build directly from a git tag if you know how. Together with signed tags this should be more trustworthy imho. I don't see a huge downside here. I wonder if one could replace that release server with a simple vagrant setup or similar so the RM can actually create release archives on his own. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
On Mon, Sep 29, 2014 at 6:35 PM, Pierre Schmitz pie...@archlinux.de wrote: Am 29.09.2014 17:04, schrieb Johannes Schlüter: On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. [...] Q: Is the git repo affected? A: No. The infected box is a different one. git's cryptographic commit identifiers and distributed antature along with out automatic mirroring to github serve as further mitigation for potential issues. This sounds like it wont be that bad of an idea to build directly from a git tag if you know how. Together with signed tags this should be more trustworthy imho. I don't see a huge downside here. I wonder if one could replace that release server with a simple vagrant setup or similar so the RM can actually create release archives on his own. Not using vagrant but this is how it is done now. That box was used until a couple of years ago due to some bison (or ac) issues, to be sure that the src releases work on any supported systems. Cheers, -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
On Mon, 2014-09-29 at 18:35 +0200, Pierre Schmitz wrote: Am 29.09.2014 17:04, schrieb Johannes Schlüter: On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: Actually, some php.net machines have been compromised and prevent us from releasing 5.6.1. [...] Q: Is the git repo affected? A: No. The infected box is a different one. git's cryptographic commit identifiers and distributed antature along with out automatic mirroring to github serve as further mitigation for potential issues. This sounds like it wont be that bad of an idea to build directly from a git tag if you know how. Together with signed tags this should be more trustworthy imho. I don't see a huge downside here. In a general case this might lead to issues due to different behavior by different autoconf or bison or whatever versions. The issues might go from failing builds over slightly different error message on parse errors to something completely weird. In recent years we had little of these issues ... so if you feel confident with using git, buildconf and these extra tools you can do that. I wonder if one could replace that release server with a simple vagrant setup or similar so the RM can actually create release archives on his own. Still you have to make sure the base box image and puppet (or such) scripts are hosted on a proper box. Might be good if somebody looks into this, when doing mind that snaps should be created using the same toolchain. johannes signature.asc Description: This is a digitally signed message part
Re: [PHP-DEV] Re: What happened to the 5.6.1 release?
Hi! I wonder if one could replace that release server with a simple vagrant setup or similar so the RM can actually create release archives on his own. I've always packaged 5.4 on my local machine, but it may have a downside of using different bison/automake/etc. version and produce a release that has different compatibility matrix than officially announced. So far we didn't have such problems AFAIK so building locally from git is most probably fine. However, for the most users I'd recommend to wait for official release anyway, just to be sure you're in sync with the release packages and don't miss any possible last-minute changes. But, if you are comfortable with git and building from it, it's fine. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Re: What happened to the 5.6.1 release?
Pierre Schmitz in php.internals (Sun, 28 Sep 2014 08:44:33 +0200): I wonder what happened to the 5.6.1 release. A git tag was pushed 4 days ago but since then no announcement was made nor any tar files of then release were uploaded. The sources are available at http://windows.php.net/download/ Strange that they did not show up at the non WIN32 download page. Is there some security issue that we are not yet aware of? Jan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php