From owner-freebsd-ports@freebsd.org Wed Mar 31 23:58:23 2021 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E73C95B58B5 for ; Wed, 31 Mar 2021 23:58:23 +0000 (UTC) (envelope-from amarendra.godbole@gmail.com) Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F9jv31T8Cz4prG for ; Wed, 31 Mar 2021 23:58:23 +0000 (UTC) (envelope-from amarendra.godbole@gmail.com) Received: by mail-io1-xd2d.google.com with SMTP id b10so382666iot.4 for ; Wed, 31 Mar 2021 16:58:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AkXLpceuRqd37oXP1Bco7wPGfqfQ2QoEmvfr/gujjrc=; b=OIBwlH9gsedmxvYoibgPOGxBdPGfnfNiv6ozkMa0Dy4E9z5TBiuLp8FvfMqH2oTsKa YBCn1HdBVDqLTf+mIMDkIVVDVOKr60QFbaR6xC1d8nbfDfhmRHCBL2z2Lfr/zLJdu4ud p2IlfkNRcEG4SMiye5UoR06CMY97SyrZWi8nQ76yER1j9vYhX6/STNkQu2Ql2NeI/zTr YDl3vne/QTHbFRdpbW0Me3bdrH3PIX8m8cIgx+sGqjzbpGzV1cWO73AWz7w5peTUGPcL /LkBdalBcJbowZcuUFI0PRX/aYbv5aI+YAQuAHV6vAUnTnV3J3puzBkhVW3Ns5byrSwG HZGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AkXLpceuRqd37oXP1Bco7wPGfqfQ2QoEmvfr/gujjrc=; b=NCg50UIGvezIw62aiSc/PwdHsdCNf83+Yl3zWHOChlck2aB/UC9VMsoiVOOFTP68Y2 Tuc1lKRQlsgdK5FFGPKd5TUbyI6tE8HMV6zIusie47qcMK3idQXZ9TVpOEg+3kDeJCJw BeeZmkis5OPmnEGQ6FgM9Zb0CMinHYkkjti+m+uuoywhG50gztVwaERDlYdGTaRsY13P uhd5vKRn91g0vALGD/EFa3B9e/XpHr2DkpkSvSbAwxl/KU/OyN4ieyUekrrnZrRMau9z iQZF0OCghBtZUvZpmWtHio7mqP5X49gUVpjgcQOjbC8HUCb0KCVRgx8ylNVUiqT403lb +ztg== X-Gm-Message-State: AOAM530FZ0hzRpLmoUUpi81eBk1vtjzhUOqeyjRYnfP5rVA68i5vTJ6y 5GUu/O0ZtqgvtFlK8K0xwS6QqEXQv6StalOOfhelYpu/faQ= X-Google-Smtp-Source: ABdhPJz+4TbiYA8SB/U1aE4VzqsF2JYVL9LEKWk5M60QVn9MxoSp0tG/anUnY9PKt/v0IYo/VxYQSeQ/+YPQXgDr2AQ= X-Received: by 2002:a5e:8712:: with SMTP id y18mr4205258ioj.65.1617235101902; Wed, 31 Mar 2021 16:58:21 -0700 (PDT) MIME-Version: 1.0 References: <6314D726-F55D-4374-AB63-B17B7B3E4D14@kreme.com> <20210331135819.rzy3weyxunobnne6@nexus.home.palmen-it.de> <1035BFA8-667D-45CD-9066-848351F648EF@kreme.com> In-Reply-To: From: Amarendra Godbole Date: Wed, 31 Mar 2021 16:58:11 -0700 Message-ID: Subject: Re: Lessons from the PHP git repo "hack" To: "@lbutlr" Cc: FreeBSD Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4F9jv31T8Cz4prG X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=OIBwlH9g; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of amarendragodbole@gmail.com designates 2607:f8b0:4864:20::d2d as permitted sender) smtp.mailfrom=amarendragodbole@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::d2d:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ports@freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::d2d:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d2d:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-ports] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2021 23:58:24 -0000 On Wed, Mar 31, 2021 at 3:14 PM @lbutlr wrote: > > On 31 Mar 2021, at 12:02, Jose Quinteiro wrote: > > I've found passwords checked into public Github repos more than once. I > > don't equate Github with security. > > Have you also found the code necessary to replicate a 2FA token checked in to a GitHub repo? [...] The "official" statement [1] points to a compromise of git.php.net server than any individual account. Potentially poorly maintained infra. They may have simply moved to github to delegate this responsibility of maintaining the infra to github, and potentially simplify access control decisions. Thanks. -ag [1] https://news-web.php.net/php.internals/113838