Newsgroups: php.doc,php.internals
Path: news.php.net
Xref: news.php.net php.doc:969387868 php.internals:113840
Return-Path: <paul.crovella@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 85664 invoked from network); 29 Mar 2021 00:00:44 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 29 Mar 2021 00:00:44 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 9A0BA1801FD;
	Sun, 28 Mar 2021 16:57:34 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <paul.crovella@gmail.com>
Received: from mail-ot1-f52.google.com (mail-ot1-f52.google.com [209.85.210.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS;
	Sun, 28 Mar 2021 16:57:30 -0700 (PDT)
Received: by mail-ot1-f52.google.com with SMTP id 68-20020a9d0f4a0000b02901b663e6258dso10611300ott.13;
        Sun, 28 Mar 2021 16:57:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=c0UofHlFwhhoL3whAJhyzaxl6pZBFOjXInhgADPeuW0=;
        b=QrjoRwIZv8A5oTCOENzODq53NgA9lepsZuhQ9iByzbU6u4OUsS400OUX8Yl6zIdslF
         jYz8dTdX3x064LCu7gNUh0AVB9KS/DmX2SyYzckbKgTxuiWgXXqLLgW9qeE9uv+TU0YH
         jwYwUKfGtV+P1s6YYsLPd1haINoXVjvxG5Tc2nwSkL/OhPTyyEYsud78G7meqevc3KGY
         RTxoaut1ouPJ6lkL6czOPpCci2O347F7kg4cuT7Sg6RPkTpU5Zwnfa1wnMvM6jan2r+L
         nQzFYJzfvX8WX183YiQcDF1r6ti6AehE3wQJ3G5vqFp0TuMUJEpIgXFBdab1EPMSbdsw
         /NHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=c0UofHlFwhhoL3whAJhyzaxl6pZBFOjXInhgADPeuW0=;
        b=T6aVNHlimC3vEnZtjdXr/dq+KKcKswwnMYRZXX1+V91KwlubWdYOcstUQQNrXbgzU+
         cgncUN8YbM3f0vQmhZeHnuPaa5uaByRcoQaC+DWxP8kd4QHW47hdtg92a/04v+tCAB3L
         7MzF7XR4Qdjf4i306Etl+d8iKbrLW3afqptGgJlcXx1iKqEE+i4nLEP3AqgBAtGTbMYS
         AdnswwGWm471YsvDxR7GrlNgf/da0Iygq+r2GevOvUGSfyav4wBVbPggLbUdV9K/HabE
         e3ckLLFcA7k9WELVuYJKqywvoYPe/qbORWTGgE7rhQY1hQpCaN1Wip6KHnPfeDtFvxYB
         KLgg==
X-Gm-Message-State: AOAM532vmoIp7mTwVeL4HJXQP9V5vBPXof+L3DzhaPBuCr+/xoLoCNrR
	1syf1CRZedOTznGj/KMgI650jTO2/nluQ86ICg==
X-Google-Smtp-Source: ABdhPJw7Db1sZtCx/amdJNT9o4gNCSW+dmg2TbKVGs9bE9UsPXU6NpByl3NKf9Z65FX8fhb0tCurQGYlKeNjvc1UpxA=
X-Received: by 2002:a05:6830:4129:: with SMTP id w41mr20088574ott.224.1616975847821;
 Sun, 28 Mar 2021 16:57:27 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c9A6zG-nYzc3NNtWGjN7y5FmwqnYzjq6GSFC5NtRsOT0w@mail.gmail.com>
In-Reply-To: <CAF+90c9A6zG-nYzc3NNtWGjN7y5FmwqnYzjq6GSFC5NtRsOT0w@mail.gmail.com>
Date: Sun, 28 Mar 2021 16:57:16 -0700
Message-ID: <CAN2symg2SueEONzMRndsWEhj6anXmeAQwKg+HzKh-o61bcP0Qg@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>
Cc: PHP internals <internals@lists.php.net>, PHP Doc Mailing List <phpdoc@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] Changes to Git commit workflow
From: paul.crovella@gmail.com (Paul Crovella)

You might consider requiring commits be signed while you're at it.

On Sun, Mar 28, 2021 at 3:53 PM Nikita Popov <nikita.ppv@gmail.com> wrote:
>
> Hi everyone,
>
> Yesterday (2021-03-28) two malicious commits were pushed to the php-src
> repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how
> exactly this happened, but everything points towards a compromise of the
> git.php.net server (rather than a compromise of an individual git account).
>
> While investigation is still underway, we have decided that maintaining our
> own git infrastructure is an unnecessary security risk, and that we will
> discontinue the git.php.net server. Instead, the repositories on GitHub,
> which were previously only mirrors, will become canonical. This means that
> changes should be pushed directly to GitHub rather than to git.php.net.
>
> While previously write access to repositories was handled through our
> home-grown karma system, you will now need to be part of the php
> organization on GitHub. If you are not part of the organization yet, or
> don't have access to a repository you should have access to, contact me at
> nikic@php.net with your php.net and GitHub account names, as well as the
> permissions you're currently missing. Membership in the organization
> requires 2FA to be enabled.
>
> This change also means that it is now possible to merge pull requests
> directly from the GitHub web interface.
>
> We're reviewing the repositories for any corruption beyond the two
> referenced commits. Please contact security@php.net if you notice anything.
>
> Regards,
> Nikita
>
> [1]:
> https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d
> and
> https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a