On Mon, Sep 29, 2014 at 5:57 PM, Stephen Zarkos <stephen.zar...@microsoft.com> wrote: > Hi, > > >> -----Original Message----- >> From: Johannes Schlüter [mailto:johan...@schlueters.de] >> >> On Mon, 2014-09-29 at 06:35 -0700, Rasmus Lerdorf wrote: >> > >> Actually, some php.net machines have been compromised and prevent >> > >> us from releasing 5.6.1. >> [...] >> > All the source and binary releases along with git is safe. >> >> To be more precise: The machine used to package up the releases show >> some traces of an infection. recent releases are being reviewed and show no >> traces of anything being injected there, still we are not comfortable with >> using the box to build new tarballs ;) >> >> Short FAQ: >> >> Q: Is the git repo affected? >> A: No. The infected box is a different one. git's cryptographic commit >> identifiers and distributed antature along with out automatic mirroring to >> github serve as further mitigation for potential issues. >> >> Q: Are downloads from php.net/downloads affected? >> A: The attack would happen during creating the release tarballs. Recent >> releases are being reviewed and show no traces of modifications. >> >> Q: Are downloads from windows.php.net affected? >> A: Windows builds are created from release tarballs. If those were infected >> this might affect Windows, too. But no such infection could be found. > > The answer is No. We always pull from git.php.net for new releases. We also > scan all releases before posted them. RMs, please let me know if you'd like > me to pull the bins on windows.php.net, or if you're not planning on > retagging we can just sit tight and wait for the official announcement.
yes, pull them off for now. Only to be in sync with the official releases, thanks! -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
