March 29, 2021 | 2 min read
Source:https://news-web.php.net/php.internals/113838
Hi everyone,Yesterday (2021-03-28) two malicious commits were pushed to the php-srcrepo [1] from the names of Rasmus Lerdorf and myself. We don't yet know howexactly this happened, but everything points towards a compromise of thegit.php.net server (rather than a compromise of an individual git account).While investigation is still underway, we have decided that maintaining ourown git infrastructure is an unnecessary security risk, and that we willdiscontinue the git.php.net server. Instead, the repositories on GitHub,which were previously only mirrors, will become canonical. This means thatchanges should be pushed directly to GitHub rather than to git.php.net.While previously write access to repositories was handled through ourhome-grown karma system, you will now need to be part of the phporganization on GitHub. If you are not part of the organization yet, ordon't have access to a repository you should have access to, contact me atnikic@php.net with your php.net and GitHub account names, as well as thepermissions you're currently missing. Membership in the organizationrequires 2FA to be enabled.This change also means that it is now possible to merge pull requestsdirectly from the GitHub web interface.We're reviewing the repositories for any corruption beyond the tworeferenced commits. Please contact security@php.net if you notice anything.Regards,Nikita[1]:https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7dandhttps://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
An experienced IT professional started career in 2006, specializing in Business Process Improvement, Stakeholder Engagement, Change Management, Business Transformation, and Team Leadership.
Copyright © 2025