Newsgroups: php.doc,php.internals
Path: news.php.net
Xref: news.php.net php.doc:969387866 php.internals:113838
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 78383 invoked from network); 28 Mar 2021 22:55:54 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 28 Mar 2021 22:55:54 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 269C81804B7;
	Sun, 28 Mar 2021 15:52:46 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <nikita.ppv@gmail.com>
Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS;
	Sun, 28 Mar 2021 15:52:44 -0700 (PDT)
Received: by mail-lj1-f173.google.com with SMTP id f16so13893333ljm.1;
        Sun, 28 Mar 2021 15:52:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=oAbpkj4XPBu/p3AEM3kX2YGuN1/cGn7QZNV7RhteLpM=;
        b=HSMi4OWajvZpdtPHqQ9nCmOTgOL1qvjEY4TLX3NYiRB0KiFtWDKSBnIMJJjkfLPY/K
         pOtQ8DskM/sy87Q6uZ98wtqR0VlHJ2sE4cdU39SB+Knn17oaFqOAQD1cZU+XVh7o6KJN
         MSboX4vwTwRwS35UIfBL2fztFFTKEma8nf73tnGfOoPgBnRsomICW+fINYQxmXj/+6JP
         gCV3Kn8ZLaKjaHMoBZAr0mzSy5wwy1T2rM/X+6pUZt2iqirx+diXtnVCOmWqU/quBCOX
         deXzAGyi6ts7pT87RAmP29owo7C0VVe90ugI9YpR9kqQMwRal2VnpZBcqJ12IjKYSid3
         3nMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=oAbpkj4XPBu/p3AEM3kX2YGuN1/cGn7QZNV7RhteLpM=;
        b=SjkfN8u5AGaUGobfhtVUFj1ABzkgkBi9lmGP7Vg0r1cnwYeDtqlwlW3fNVq7lZm6Vg
         lQthPMvCRubYljE5Bwc2AcPr/gkOdDr1r7nMIVnUB4ofuasM8GuLPawEUtar+zMcGqkS
         qaBjqeqaWO0Q0d6rfn+1k9Zd8RSo0xHXUK+TtW0aYzbmcIc70PT+tyyRCo4/RnarRBxr
         BI1sySz2ipvVK8D+pn3TKv6/YErD4ZSakHYY88V/qdMZ/YEd539SQScuAjjZ/6yx0Q0O
         PxexnbCyniBwIBkbfBxg4L7TEcfkvSJGYhlpStq9frjLYuyFogLrxIN7LBjjiNJLu+h2
         7AAg==
X-Gm-Message-State: AOAM530RPwXUtz4OKl8rygVzTzIAoWRvpYUBLMHJbD1G7cSsfKrDDKqT
	0KmxMGSsr11b4Oq2enwa6jrJCFW6Fg66yeGqYPJ7kDL/s3piGQ==
X-Google-Smtp-Source: ABdhPJw65S1/YkymNCHz2tGSf6EBx4X8C8MUzG9M5yYRt27U1UkDLH2Ecp0UkkINd/MCLOcDjSsAb19sr3D9PCpbnY4=
X-Received: by 2002:a2e:9183:: with SMTP id f3mr16299275ljg.109.1616971960436;
 Sun, 28 Mar 2021 15:52:40 -0700 (PDT)
MIME-Version: 1.0
Date: Mon, 29 Mar 2021 00:52:24 +0200
Message-ID: <CAF+90c9A6zG-nYzc3NNtWGjN7y5FmwqnYzjq6GSFC5NtRsOT0w@mail.gmail.com>
To: PHP internals <internals@lists.php.net>, PHP Doc Mailing List <phpdoc@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000504afe05bea09f67"
Subject: Changes to Git commit workflow
From: nikita.ppv@gmail.com (Nikita Popov)

--000000000000504afe05bea09f67
Content-Type: text/plain; charset="UTF-8"

Hi everyone,

Yesterday (2021-03-28) two malicious commits were pushed to the php-src
repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how
exactly this happened, but everything points towards a compromise of the
git.php.net server (rather than a compromise of an individual git account).

While investigation is still underway, we have decided that maintaining our
own git infrastructure is an unnecessary security risk, and that we will
discontinue the git.php.net server. Instead, the repositories on GitHub,
which were previously only mirrors, will become canonical. This means that
changes should be pushed directly to GitHub rather than to git.php.net.

While previously write access to repositories was handled through our
home-grown karma system, you will now need to be part of the php
organization on GitHub. If you are not part of the organization yet, or
don't have access to a repository you should have access to, contact me at
nikic@php.net with your php.net and GitHub account names, as well as the
permissions you're currently missing. Membership in the organization
requires 2FA to be enabled.

This change also means that it is now possible to merge pull requests
directly from the GitHub web interface.

We're reviewing the repositories for any corruption beyond the two
referenced commits. Please contact security@php.net if you notice anything.

Regards,
Nikita

[1]:
https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d
and
https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a

--000000000000504afe05bea09f67--