From owner-freebsd-ports@freebsd.org Wed Mar 31 18:02:47 2021 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 54DAE5AA97A for ; Wed, 31 Mar 2021 18:02:47 +0000 (UTC) (envelope-from freebsd@quinteiro.org) Received: from mx2.quinteiro.org (mx2.quinteiro.org [71.19.154.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F9Z0k3Q8Zz4RXf for ; Wed, 31 Mar 2021 18:02:46 +0000 (UTC) (envelope-from freebsd@quinteiro.org) Received: from www.quinteiro.org (www.quinteiro.org [204.109.56.22]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx2.quinteiro.org (Postfix) with ESMTPS id 4D5B421D9A6 for ; Wed, 31 Mar 2021 18:02:45 +0000 (UTC) (envelope-from freebsd@quinteiro.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=quinteiro.org; s=default; t=1617213765; bh=8lA3Udb3lGRDOXaZYkJuZtDazeUIH/kc8clVGN8IYJw=; h=Subject:To:References:From:Date:In-Reply-To; b=rx6mKWiul5t0ef9QTePmWFRnBR61PLU87RCWpFCkLes85FUrALgU3JbLK6bdjyv0x WD/g8YugSBCb6jnE8GMUG4ck66oHdBAba8YSCHCuWir1i396T4an4Dfr/2UgfzonPX jVSyEJ0zIyeR38pFNQC1p4gwBN4NjPqLedIbACr8= Received: from [172.16.1.157] (198-27-221-245.fiber.dynamic.sonic.net [198.27.221.245]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by www.quinteiro.org (Postfix) with ESMTPSA id 398652F8D8 for ; Wed, 31 Mar 2021 18:02:44 +0000 (UTC) Subject: Re: Lessons from the PHP git repo "hack" To: freebsd-ports@freebsd.org References: <6314D726-F55D-4374-AB63-B17B7B3E4D14@kreme.com> <20210331135819.rzy3weyxunobnne6@nexus.home.palmen-it.de> <1035BFA8-667D-45CD-9066-848351F648EF@kreme.com> From: Jose Quinteiro Message-ID: Date: Wed, 31 Mar 2021 11:02:43 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: <1035BFA8-667D-45CD-9066-848351F648EF@kreme.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4F9Z0k3Q8Zz4RXf X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=quinteiro.org header.s=default header.b=rx6mKWiu; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@quinteiro.org designates 71.19.154.200 as permitted sender) smtp.mailfrom=freebsd@quinteiro.org X-Spamd-Result: default: False [-1.50 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[quinteiro.org:s=default]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ports@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[71.19.154.200:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[quinteiro.org]; NEURAL_SPAM_SHORT(1.00)[1.000]; DKIM_TRACE(0.00)[quinteiro.org:+]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[71.19.154.200:from]; ASN(0.00)[asn:47066, ipnet:71.19.154.0/24, country:US]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-ports] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2021 18:02:47 -0000 On 3/31/21 7:03 AM, @lbutlr wrote: > > That is making an assumption that the people running the php git server were incompetent, which is not something I am willing to do at this point. > Isn't it too early to learn any lessons, then? I've found passwords checked into public Github repos more than once. I don't equate Github with security. Thanks, Jose