On Mon, Mar 29, 2021 at 12:52 AM Nikita Popov <nikita....@gmail.com> wrote:
> Hi everyone, > > Yesterday (2021-03-28) two malicious commits were pushed to the php-src > repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how > exactly this happened, but everything points towards a compromise of the > git.php.net server (rather than a compromise of an individual git > account). > > While investigation is still underway, we have decided that maintaining > our own git infrastructure is an unnecessary security risk, and that we > will discontinue the git.php.net server. Instead, the repositories on > GitHub, which were previously only mirrors, will become canonical. This > means that changes should be pushed directly to GitHub rather than to > git.php.net. > > While previously write access to repositories was handled through our > home-grown karma system, you will now need to be part of the php > organization on GitHub. If you are not part of the organization yet, or > don't have access to a repository you should have access to, contact me at > ni...@php.net with your php.net and GitHub account names, as well as the > permissions you're currently missing. Membership in the organization > requires 2FA to be enabled. > > This change also means that it is now possible to merge pull requests > directly from the GitHub web interface. > > We're reviewing the repositories for any corruption beyond the two > referenced commits. Please contact secur...@php.net if you notice > anything. > > Regards, > Nikita > Assuming you do already have write access on GitHub, you can change the upstream repository of your local clone by running "git remote set-url origin g...@github.com:php/php-src.git" (replacing php/php-src with the repository in question). Nikita
