Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124390 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id B9CBF1A00B7 for ; Thu, 11 Jul 2024 13:54:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1720706151; bh=9n41gfUbDb5pll2KwaQwB7XYjFp6lRfAQE89BaymXVI=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=UkZ25fqh2d1YZpuMIK7QsnJz0sC56iMWsCXiAsIRI6bn306c+x233lBu7LGpYEAFm qdiiJysBv4I3hol/QNjyYiaFRU10n3VPOqAJNIINLQCg1zWFrnR2cA/Gyqw4J+SpTx 4duJhiS8UveBTvGbV7esqU596bgCFw1249ueqx5qpDhjRtrAfyNaRxT8Jm41N0jaZ/ LbYgal2Gu+29PaXxcWuEwVPDmNMZ6wk2xtx6hsDTvodw5ZS+jmYWxWZdmicyWOLvY6 iJ3D2qIa5Sg5bZ7jufUrv+16w/kSer8QlcpxRp0svAQhhKHEdGRriITQpK3nfrHaCZ 6KInLf76FoBIA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 600BC180641 for ; Thu, 11 Jul 2024 13:55:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: *** X-Spam-Status: No, score=3.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_PASS, SPF_SOFTFAIL autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from xdebug.org (xdebug.org [82.113.146.227]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 11 Jul 2024 13:55:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1720706063; bh=9n41gfUbDb5pll2KwaQwB7XYjFp6lRfAQE89BaymXVI=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=Z2SlgRIQDI6TQ6h4xnRjEKdNDL4pxUx43D70KmnMc76Sv/anXuqAAPAMx0ano7Tzu Cm9qcGaRZDE/BLUvbISa/aRJY9AYmQMYcsABeNrlJ271CWIlwI2Zp1/3n0KLJhDPgh dyrSO1wJI9rDs2pNfcBRCSKDqgQ/wKmj/e3xPqNQrGgHAC+sjYEMQ4swsxLBbIBoin 2noYPoDa8CRe6v7g4VO6RCqoX2Zae4xqNI9mYVgICvcXlFwnADnEcaD6q8q2cIRf6T AfUEL430e1uQ5jkphTkj/iTo/D8i207ikBx8lbdfNpzNXaSRLtVabGURETZ9WqKqL2 wZXhbjxLMq3HQ== Received: from localhost (localhost [IPv6:::1]) by xdebug.org (Postfix) with ESMTPS id 6118E10C010; Thu, 11 Jul 2024 14:54:23 +0100 (BST) Date: Thu, 11 Jul 2024 14:54:23 +0100 (BST) To: Roman Pronskiy cc: PHP internals Subject: Re: [PHP-DEV] Website php.net updates and coordination In-Reply-To: Message-ID: <3054c75d-c08a-cd85-0749-c5dc6f39a1e5@php.net> References: Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII From: derick@php.net (Derick Rethans) On Wed, 10 Jul 2024, Roman Pronskiy wrote: > 3. Deployment Process > Recently, there was an incident with a code block pushed to the > website accidentally: https://github.com/php/web-php/pull/1021. It was > promptly reverted, but the case highlighted a potential security risk: It wasn't an *accident* that I pushed it. Only people with commit access to php-web can push things, and that isn't a large list of people. It is the RMs: https://github.com/orgs/php/teams/release-managers and web-team: https://github.com/orgs/php/teams/web-team Each has 13 members, but there are some overlaps. The deploy scripts are all part of php-systems, of which only the repository owners can commit to, and web-master, which only the above mentioned web-team can commit to. > unauthorized modifications could go unnoticed, potentially affecting > all visitors of the php.net website worldwide. In theory, malicious > code could be added to the server directly if access is compromised, > with high chances of being unnoticed. All commits to web-php and web-master are emailed to a mailinglist: https://news-web.php.net/php.webmaster which I actively monitor. We can probably improve on this this, but this is all pretty tight, moreso than committing random things to the PHP source repository. cheers, Derick