Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:113989 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 12306 invoked from network); 7 Apr 2021 16:08:26 -0000 Received: from unknown (HELO localhost.localdomain) (76.75.200.58) by pb1.pair.com with SMTP; 7 Apr 2021 16:08:26 -0000 To: internals@lists.php.net Date: Wed, 07 Apr 2021 18:07:44 +0200 Message-ID: References: X-Newsreader: Forte Agent 3.3/32.846 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Posted-By: 62.251.31.78 Subject: Re: Update on git.php.net incident From: phpdev@ehrhardt.nl (Jan Ehrhardt) Nikita Popov in php.internals (Tue, 6 Apr 2021 20:28:03 +0200): >Something I was not aware of at the time is that git.php.net >(intentionally) supported pushing changes not only via SSH (using the >gitolite infrastructure and public key cryptography), but also via HTTPS. >The latter did not use gitolite, and instead used git-http-backend behind >Apache2 Digest authentication against the master.php.net user database. I'm >not sure why password-based authentication was supported in the first >place, as it is much less secure than pubkey authentication. Password-based authentication on Github is deprecated for some time now and will be disabled on August 13, 2021. See the timeline in https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ -- Jan