Hi,
I wonder what happened to the 5.6.1 release. A git tag was pushed 4 days
ago but since then no announcement was made nor any tar files of then
release were uploaded. Is it assumed that we should build packages from
the git repo directly from now on? Wouldn't be a big deal, just liked to
know if it was held back due to last minute bugs.
Greetings,
Pierre
--
Pierre Schmitz, https://pierre-schmitz.com
Pierre Schmitz in php.internals (Sun, 28 Sep 2014 08:44:33 +0200):
I wonder what happened to the 5.6.1 release. A git tag was pushed 4 days
ago but since then no announcement was made nor any tar files of then
release were uploaded.
The sources are available at http://windows.php.net/download/
Strange that they did not show up at the non WIN32 download page.
Is there some security issue that we are not yet aware of?
Jan
Pierre Schmitz in php.internals (Sun, 28 Sep 2014 08:44:33 +0200):
I wonder what happened to the 5.6.1 release. A git tag was pushed 4 days
ago but since then no announcement was made nor any tar files of then
release were uploaded.The sources are available at http://windows.php.net/download/
Strange that they did not show up at the non WIN32 download page.
Is there some security issue that we are not yet aware of?
Hello,
Actually, some php.net machines have been compromised and prevent us
from releasing 5.6.1.
One should not use the tag and wait for the official announcements.
Julien.P
Julien Pauli in php.internals (Mon, 29 Sep 2014 12:50:55 +0200):
The sources are available at http://windows.php.net/download/
Strange that they did not show up at the non WIN32 download page.
Is there some security issue that we are not yet aware of?Actually, some php.net machines have been compromised and prevent us
from releasing 5.6.1.One should not use the tag and wait for the official announcements.
What about the Windows binaries at http://windows.php.net/download/
Are they safe? If not, should not they be withdrawn from that server?
Jan
Julien Pauli in php.internals (Mon, 29 Sep 2014 12:50:55 +0200):
The sources are available at http://windows.php.net/download/
Strange that they did not show up at the non WIN32 download page.
Is there some security issue that we are not yet aware of?Actually, some php.net machines have been compromised and prevent us
from releasing 5.6.1.One should not use the tag and wait for the official announcements.
What about the Windows binaries at http://windows.php.net/download/
Are they safe? If not, should not they be withdrawn from that server?
I think so, but I don't know if we would retag before the release,
probably not, but I would suggest people not to download them and wait
for official announcement of the release.
no official announcement = no release , that simple :-)
Julien.P
Julien Pauli in php.internals (Mon, 29 Sep 2014 12:50:55 +0200):
The sources are available at http://windows.php.net/download/
Strange that they did not show up at the non WIN32 download page.
Is there some security issue that we are not yet aware of?Actually, some php.net machines have been compromised and prevent us
from releasing 5.6.1.One should not use the tag and wait for the official announcements.
What about the Windows binaries at http://windows.php.net/download/
Are they safe? If not, should not they be withdrawn from that server?
All the source and binary releases along with git is safe.
And there was no new breach here. It was a box that wasn't properly cleaned up from the previous one and wasn't put behind the ssh bouncer like all the other machines.
-Rasmus
Actually, some php.net machines have been compromised and prevent us
from releasing 5.6.1.
[...]
All the source and binary releases along with git is safe.
To be more precise: The machine used to package up the releases show
some traces of an infection. recent releases are being reviewed and show
no traces of anything being injected there, still we are not comfortable
with using the box to build new tarballs ;)
Short FAQ:
Q: Is the git repo affected?
A: No. The infected box is a different one. git's cryptographic commit
identifiers and distributed antature along with out automatic mirroring
to github serve as further mitigation for potential issues.
Q: Are downloads from php.net/downloads affected?
A: The attack would happen during creating the release tarballs. Recent
releases are being reviewed and show no traces of modifications.
Q: Are downloads from windows.php.net affected?
A: Windows builds are created from release tarballs. If those were
infected this might affect Windows, too. But no such infection could be
found.
Q: Why are release actually build on some server instead of RM's
machines?
A: The git repository is not directly usable by endusers as it contains
only the individual config.m4 files etc. and no complete configure
script and only some parsers in raw form and not the generated c file.
As we want to ensure reliable behavior we use a machine with specific
versions of bison, autoconf and other tools. See the make_dist script in
php-src for details what's being made.
Q: Are snaps or RC releases affected?
A: I do not know, but know of no traces.
Q: Are other boxes effected, could the attacker steal credentials?
A: Login to the box happens via ssh keypairs so no secret credentials
reach the box on login, if a user provided a password (i.e. for running
sudo) while the box was infected this might be compromised. This won't
affect other php.net systems, though as those are only reachable via
specific servers using two-factor-authentification (or actually
three-factor: ssh key, ssh key passphrase and one time passcode
(RFC6238))
johannes
Hi,
-----Original Message-----
From: Johannes Schlüter [mailto:johannes@schlueters.de]Actually, some php.net machines have been compromised and prevent
us from releasing 5.6.1.
[...]
All the source and binary releases along with git is safe.To be more precise: The machine used to package up the releases show
some traces of an infection. recent releases are being reviewed and show no
traces of anything being injected there, still we are not comfortable with
using the box to build new tarballs ;)Short FAQ:
Q: Is the git repo affected?
A: No. The infected box is a different one. git's cryptographic commit
identifiers and distributed antature along with out automatic mirroring to
github serve as further mitigation for potential issues.Q: Are downloads from php.net/downloads affected?
A: The attack would happen during creating the release tarballs. Recent
releases are being reviewed and show no traces of modifications.Q: Are downloads from windows.php.net affected?
A: Windows builds are created from release tarballs. If those were infected
this might affect Windows, too. But no such infection could be found.
The answer is No. We always pull from git.php.net for new releases. We also scan all releases before posted them. RMs, please let me know if you'd like me to pull the bins on windows.php.net, or if you're not planning on retagging we can just sit tight and wait for the official announcement.
Q: Are snaps or RC releases affected?
A: I do not know, but know of no traces.
The Windows build machines pull from git directly for snapshot and RC builds too.
Thanks!
Steve
On Mon, Sep 29, 2014 at 5:57 PM, Stephen Zarkos
Stephen.Zarkos@microsoft.com wrote:
Hi,
-----Original Message-----
From: Johannes Schlüter [mailto:johannes@schlueters.de]Actually, some php.net machines have been compromised and prevent
us from releasing 5.6.1.
[...]
All the source and binary releases along with git is safe.To be more precise: The machine used to package up the releases show
some traces of an infection. recent releases are being reviewed and show no
traces of anything being injected there, still we are not comfortable with
using the box to build new tarballs ;)Short FAQ:
Q: Is the git repo affected?
A: No. The infected box is a different one. git's cryptographic commit
identifiers and distributed antature along with out automatic mirroring to
github serve as further mitigation for potential issues.Q: Are downloads from php.net/downloads affected?
A: The attack would happen during creating the release tarballs. Recent
releases are being reviewed and show no traces of modifications.Q: Are downloads from windows.php.net affected?
A: Windows builds are created from release tarballs. If those were infected
this might affect Windows, too. But no such infection could be found.The answer is No. We always pull from git.php.net for new releases. We also scan all releases before posted them. RMs, please let me know if you'd like me to pull the bins on windows.php.net, or if you're not planning on retagging we can just sit tight and wait for the official announcement.
yes, pull them off for now. Only to be in sync with the official
releases, thanks!
--
Pierre
@pierrejoye | http://www.libgd.org
Am 29.09.2014 17:04, schrieb Johannes Schlüter:
Actually, some php.net machines have been compromised and prevent us
from releasing 5.6.1.
[...]
Q: Is the git repo affected?
A: No. The infected box is a different one. git's cryptographic commit
identifiers and distributed antature along with out automatic mirroring
to github serve as further mitigation for potential issues.
This sounds like it wont be that bad of an idea to build directly from a
git tag if you know how. Together with signed tags this should be more
trustworthy imho. I don't see a huge downside here.
I wonder if one could replace that release server with a simple vagrant
setup or similar so the RM can actually create release archives on his
own.
Greetings,
Pierre
--
Pierre Schmitz, https://pierre-schmitz.com
Am 29.09.2014 17:04, schrieb Johannes Schlüter:
Actually, some php.net machines have been compromised and prevent us
from releasing 5.6.1.[...]
Q: Is the git repo affected?
A: No. The infected box is a different one. git's cryptographic commit
identifiers and distributed antature along with out automatic mirroring
to github serve as further mitigation for potential issues.This sounds like it wont be that bad of an idea to build directly from a git
tag if you know how. Together with signed tags this should be more
trustworthy imho. I don't see a huge downside here.I wonder if one could replace that release server with a simple vagrant
setup or similar so the RM can actually create release archives on his own.
Not using vagrant but this is how it is done now. That box was used
until a couple of years ago due to some bison (or ac) issues, to be
sure that the src releases work on any supported systems.
Cheers,
Pierre
@pierrejoye | http://www.libgd.org
Am 29.09.2014 17:04, schrieb Johannes Schlüter:
Actually, some php.net machines have been compromised and prevent us
from releasing 5.6.1.
[...]
Q: Is the git repo affected?
A: No. The infected box is a different one. git's cryptographic commit
identifiers and distributed antature along with out automatic mirroring
to github serve as further mitigation for potential issues.This sounds like it wont be that bad of an idea to build directly from a
git tag if you know how. Together with signed tags this should be more
trustworthy imho. I don't see a huge downside here.
In a general case this might lead to issues due to different behavior by
different autoconf or bison or whatever versions. The issues might go
from failing builds over slightly different error message on parse
errors to something completely weird. In recent years we had little of
these issues ... so if you feel confident with using git, buildconf and
these extra tools you can do that.
I wonder if one could replace that release server with a simple vagrant
setup or similar so the RM can actually create release archives on his
own.
Still you have to make sure the base box image and puppet (or such)
scripts are hosted on a proper box. Might be good if somebody looks into
this, when doing mind that snaps should be created using the same
toolchain.
johannes
Hi!
I wonder if one could replace that release server with a simple vagrant
setup or similar so the RM can actually create release archives on his
own.
I've always packaged 5.4 on my local machine, but it may have a downside
of using different bison/automake/etc. version and produce a release
that has different compatibility matrix than officially announced. So
far we didn't have such problems AFAIK so building locally from git is
most probably fine. However, for the most users I'd recommend to wait
for official release anyway, just to be sure you're in sync with the
release packages and don't miss any possible last-minute changes. But,
if you are comfortable with git and building from it, it's fine.
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
Hi!
I wonder if one could replace that release server with a simple vagrant
setup or similar so the RM can actually create release archives on his
own.I've always packaged 5.4 on my local machine, but it may have a downside
of using different bison/automake/etc. version and produce a release
that has different compatibility matrix than officially announced. So
This is the same to me. AFAIR, we patched the README.RELEASE_PROCESS
to explicitely list the requirements, particulary the bison ones, for
building on local envs.
I've always built my releases on my local machine, with very accurate
version of autoconf and bison.
Julien.Pauli
Hello,
Actually, some php.net machines have been compromised and prevent us
from releasing 5.6.1.One should not use the tag and wait for the official announcements.
Julien.P
This is pretty troubling news.
We still haven't had the promised postmortem from the last breach, so
I hope you'll be more open about this one.
Please reach out if any of us can possibly assist.