Date: Wed, 31 Mar 2021 16:45:17 +0200 From: Felix Palmen <felix@palmen-it.de> To: freebsd-ports@freebsd.org Subject: Re: Lessons from the PHP git repo "hack" Message-ID: <20210331144517.oin3sa6i57mv6mjw@nexus.home.palmen-it.de> In-Reply-To: <1035BFA8-667D-45CD-9066-848351F648EF@kreme.com> References: <6314D726-F55D-4374-AB63-B17B7B3E4D14@kreme.com> <20210331135819.rzy3weyxunobnne6@nexus.home.palmen-it.de> <1035BFA8-667D-45CD-9066-848351F648EF@kreme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--fjotaaovafombw6k Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * @lbutlr <kremels@kreme.com> [20210331 08:03]: > On 31 Mar 2021, at 07:58, Felix Palmen <felix@palmen-it.de> wrote: > > I'd say the lesson is keep your systems updated and pay attention to > > keep your credentials safe/secret. I don't see how Github would > > prevent such an incident any better. >=20 > That is making an assumption that the people running the php git > server were incompetent, Also note this isn't assumed at all. "Incompetence", that could mean several things, e.g.: * A committer somehow "leaking" their credentials * A configuration error on the server Then, it could be the case the server just wasn't maintained well enough, which is typically more an issue of time / man power than of incompetence. The move to Github somehow suggests that the people in charge might suspect something like this. And finally, they could also be the victim of some 0day. But then, moving to Github would hardly reduce the risk. So, is there any other scenario you have in mind? --=20 Dipl.-Inform. Felix Palmen <felix@palmen-it.de> ,.//.......... {web} http://palmen-it.de {jabber} [see email] ,//palmen-it.de {pgp public key} http://palmen-it.de/pub.txt // """"""""""" {pgp fingerprint} A891 3D55 5F2E 3A74 3965 B997 3EF2 8B0A BC02 DA2A --fjotaaovafombw6k Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEqJE9VV8uOnQ5ZbmXPvKLCrwC2ioFAmBkiv0ACgkQPvKLCrwC 2iqAzAf9EEFHf6+Mx+2xksiKNdy+0gpN3/79lP7p+iSljvq7TJneIh9gI7jHthSN /aBP67ZBviml4mX51IgyqEPUYdpFz53Ybtq1wF0O/AnrAj8zHA73YuHKwS6MJaWa WiJNMD5mHDzZS/xr62C7M0UOs3i2jFV15orW8xTHoKQ+2lo628Q0SaDmyF8/sWOH aWjO082itqoOQB4KCYvHzF5vBOPVjBGltTDWF1BD0iNngWJMVACQ91iQc2SQakm4 JmdzMpH1PlF0JUxlSDwI+wX+fbfVnbyNzYw9/7550xwiaq4yCDAp2oTN6CAkPcWT ZkpR94Mlel8uxLisN+3846va7LBvLQ== =u0y1 -----END PGP SIGNATURE----- --fjotaaovafombw6k--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210331144517.oin3sa6i57mv6mjw>