Newsgroups: php.doc,php.internals
Path: news.php.net
Xref: news.php.net php.doc:969387867 php.internals:113839
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80442 invoked from network); 28 Mar 2021 23:00:29 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 28 Mar 2021 23:00:29 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 583071804B7;
	Sun, 28 Mar 2021 15:57:21 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <nikita.ppv@gmail.com>
Received: from mail-lf1-f49.google.com (mail-lf1-f49.google.com [209.85.167.49])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS;
	Sun, 28 Mar 2021 15:57:20 -0700 (PDT)
Received: by mail-lf1-f49.google.com with SMTP id q29so15590668lfb.4;
        Sun, 28 Mar 2021 15:57:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=N6DQcVJrBZE63Np5eCKJ01NVPXVg9ITMZLjjE4+mVY8=;
        b=YQjGiho02hrl6nTi/ESp3xup22fIG7vY2bTRW+DrJkHS5D64b2tJdH9OyTTHUmbt2b
         dX6RHJehPLuK6czpMI8XMfy1yoNwUy89RyZeVC91/CK1goMU83oLIHTo9iQsIN/Epv5h
         iwbyeUA7CzpP4O4l4HH7wb0EhRyyL03DLOlur3hkk+QYIfd6yfxmUScXskrqHsXPP+X/
         1fzw/3264Kn9nj/t57wdfFOUr79pQfiNVo/sbUg7nZbn3mJAqiCQMZk9EKeJ6wn276iN
         0G5RSZqj2+HbamGqBUF1QDuo7rXm9ChOop9Dk4WESQKKMVx5/gMjmvZ77bMA3IaK1yZL
         SyXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=N6DQcVJrBZE63Np5eCKJ01NVPXVg9ITMZLjjE4+mVY8=;
        b=Q9o5W6S4LHcZGZDUEb3ryaRXP3GCBFe5cZ5UZQHnoH8COvSD7l/GDg9npLP+TkQbiK
         CcbjcdD/PJaTLvr+IvnecyWwubpoYRfczyQbK4oyxHswkB959ZCip7H2vuRfMAdGKJ7b
         XcZPD0w51yvwHCl6w+l7u7EUas5rroaBI0f+D1XpUSYkdnhixPQc6GxE1kmXssNqxV8V
         uolGceL6HbPTQiAxQq364pL4cIDNcFQ/Nok1xk5dbyl3F/dvgZF17B9DSZDMvO14C3q+
         WV74HpUP4Qjr1GGRvUW/h1vIIUlpCU2z10u8U7ihqroDbzxDQRHa1I8TLIepfOzsdDng
         6vFA==
X-Gm-Message-State: AOAM531M1Lniggxpudu/Ec3r47VdjoJuh0EHH03ND88YFTI2uQoxNV1K
	337xE4rsq/MnlQXlKPc+WBIzB4X6/G2dnBQWwp9//jcps9OuBA==
X-Google-Smtp-Source: ABdhPJwi5Ze+kQRNkrVZ97atDXpoEVJG1jJU/SD5Ea3rnRZRTcDE5/f9XYj7NxqZMaXgZ8toxJxfEzzB1jVaXrFA/9s=
X-Received: by 2002:ac2:5df6:: with SMTP id z22mr15041276lfq.485.1616972239287;
 Sun, 28 Mar 2021 15:57:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c9A6zG-nYzc3NNtWGjN7y5FmwqnYzjq6GSFC5NtRsOT0w@mail.gmail.com>
In-Reply-To: <CAF+90c9A6zG-nYzc3NNtWGjN7y5FmwqnYzjq6GSFC5NtRsOT0w@mail.gmail.com>
Date: Mon, 29 Mar 2021 00:57:03 +0200
Message-ID: <CAF+90c_h8yF0AVWeqo1MDtoPJXi4tYEBEQeYiMt98V+soV4yHw@mail.gmail.com>
To: PHP internals <internals@lists.php.net>, PHP Doc Mailing List <phpdoc@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000ef36c805bea0af9d"
Subject: Re: Changes to Git commit workflow
From: nikita.ppv@gmail.com (Nikita Popov)

--000000000000ef36c805bea0af9d
Content-Type: text/plain; charset="UTF-8"

On Mon, Mar 29, 2021 at 12:52 AM Nikita Popov <nikita.ppv@gmail.com> wrote:

> Hi everyone,
>
> Yesterday (2021-03-28) two malicious commits were pushed to the php-src
> repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how
> exactly this happened, but everything points towards a compromise of the
> git.php.net server (rather than a compromise of an individual git
> account).
>
> While investigation is still underway, we have decided that maintaining
> our own git infrastructure is an unnecessary security risk, and that we
> will discontinue the git.php.net server. Instead, the repositories on
> GitHub, which were previously only mirrors, will become canonical. This
> means that changes should be pushed directly to GitHub rather than to
> git.php.net.
>
> While previously write access to repositories was handled through our
> home-grown karma system, you will now need to be part of the php
> organization on GitHub. If you are not part of the organization yet, or
> don't have access to a repository you should have access to, contact me at
> nikic@php.net with your php.net and GitHub account names, as well as the
> permissions you're currently missing. Membership in the organization
> requires 2FA to be enabled.
>
> This change also means that it is now possible to merge pull requests
> directly from the GitHub web interface.
>
> We're reviewing the repositories for any corruption beyond the two
> referenced commits. Please contact security@php.net if you notice
> anything.
>
> Regards,
> Nikita
>

Assuming you do already have write access on GitHub, you can change the
upstream repository of your local clone by running "git remote set-url
origin git@github.com:php/php-src.git" (replacing php/php-src with the
repository in question).

Nikita

--000000000000ef36c805bea0af9d--