Newsgroups: php.doc,php.internals
Path: news.php.net
Xref: news.php.net php.doc:969387876 php.internals:113854
Return-Path: <benjamin.morel@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55022 invoked from network); 29 Mar 2021 21:13:55 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 29 Mar 2021 21:13:55 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id D624D1804F6;
	Mon, 29 Mar 2021 14:10:59 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <benjamin.morel@gmail.com>
Received: from mail-oi1-f171.google.com (mail-oi1-f171.google.com [209.85.167.171])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS;
	Mon, 29 Mar 2021 14:10:59 -0700 (PDT)
Received: by mail-oi1-f171.google.com with SMTP id f9so14403867oiw.5;
        Mon, 29 Mar 2021 14:10:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=o8Xc74IF2FNnGUYUhBTZk+mfHKzsjb2RBHYpLc8HJao=;
        b=Ok70pp6n3WjmleNfQRvZAp6D0+JDSyZvE5kS4dJvC2xt0XMkN88yaKUqXrTDdKsKBB
         3T1+RH8elEFTGehlyluDR2Dfc8H77F+1acaM+pRQ2Usqxna47ORWMu5+sElqF0NQh11q
         NldYssPH4pJcwD6WYL7JRYiZ9PeI36we3qQE0nwnGZCEpz9PzqdWAULAFKtDzhIbo3yy
         AjkT/ZNAjbINEbTPPpAdpswGb7/kq13voSJ7Qv4Qc8dk54vs1RTl2dZeZ691chg1FGsU
         Dyp7Q2sQ0+6TUf0JqJHpS8dOztH+VO1M6TpFVPSekcl1QBNqfMvudmBk+PN+/ZJFSFFO
         MNLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=o8Xc74IF2FNnGUYUhBTZk+mfHKzsjb2RBHYpLc8HJao=;
        b=pdZsi0iFe1DDIiD6FmKoZuRTBYkINshRY9AP78qlpv+NB5F2RWX+CglbBr+pcZ95Xq
         e4lgdXhmoEy8ZnF9Oc10HOZ6SUawUHOMHR+gnkn0XvIbNJAKWcaS/kAjFYaZkhoLUWSy
         3rmIpVJEPJ/JmSXMsP+YeAHlWouxuV9yBe878aUh/jW/SVVY+qxZMnFYKUrGxSuR6TuH
         C9vdUtNxgI9WVw1tvpdkyTf07LViVaxUcjBBk1ExKzpMZd5F84dQPLcIS2aYHz2oa+GR
         JMJz7VnA3XNdxPmSdU1mgerqT5SPyEjSFdNI6nK67HHj1ty0kPpod7ha44VvXZSqtljD
         8Z2A==
X-Gm-Message-State: AOAM531tSteQu2OsVPTxPJvSYXf6BOi50XjEjlazRdMejA+TW+II/IbB
	N7qEy4qLR86cekUE7fHptY4J1/VlAGKCGP+iDys=
X-Google-Smtp-Source: ABdhPJxRABFzn8e5OoPsjp1zM+42IYHJG2RDBofJg6koEevYa+wZpDMY4/5NBr5Gz/0vnaIXXwiSFKfTAGPUeGO0uLs=
X-Received: by 2002:aca:db05:: with SMTP id s5mr734791oig.134.1617052258804;
 Mon, 29 Mar 2021 14:10:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c9A6zG-nYzc3NNtWGjN7y5FmwqnYzjq6GSFC5NtRsOT0w@mail.gmail.com>
In-Reply-To: <CAF+90c9A6zG-nYzc3NNtWGjN7y5FmwqnYzjq6GSFC5NtRsOT0w@mail.gmail.com>
Date: Mon, 29 Mar 2021 23:10:47 +0200
Message-ID: <CAG9XoMRj3DGcnaQobH_==W7P6JaiY16iL0c+JWaN-dLsJeNAbA@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>
Cc: PHP internals <internals@lists.php.net>, PHP Doc Mailing List <phpdoc@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000078262905beb3519f"
Subject: Re: Changes to Git commit workflow
From: benjamin.morel@gmail.com (Benjamin Morel)

--00000000000078262905beb3519f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

>
> Hi everyone,
>
> Yesterday (2021-03-28) two malicious commits were pushed to the php-src
> repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know h=
ow
> exactly this happened, but everything points towards a compromise of the
> git.php.net server (rather than a compromise of an individual git
> account).
>

That is scary. Can you disclose the contents of the commits? Are they
specially designed to open a security hole, or to be harmful in another way=
?


> While investigation is still underway, we have decided that maintaining
> our own git infrastructure is an unnecessary security risk, and that we
> will discontinue the git.php.net server. Instead, the repositories on
> GitHub, which were previously only mirrors, will become canonical. This
> means that changes should be pushed directly to GitHub rather than to
> git.php.net.
>

This change will be welcome anyway!

=E2=80=94 Benjamin

--00000000000078262905beb3519f--