Date: Wed, 31 Mar 2021 16:58:11 -0700 From: Amarendra Godbole <amarendra.godbole@gmail.com> To: "@lbutlr" <kremels@kreme.com> Cc: FreeBSD <freebsd-ports@freebsd.org> Subject: Re: Lessons from the PHP git repo "hack" Message-ID: <CAC1DtR=8or1H6EyrQY_HuPRuX_-C-aB0LVvXHvOFzWfuAgbmGg@mail.gmail.com> In-Reply-To: <D4C84752-C753-44BF-98A8-5F18B8233D19@kreme.com> References: <6314D726-F55D-4374-AB63-B17B7B3E4D14@kreme.com> <20210331135819.rzy3weyxunobnne6@nexus.home.palmen-it.de> <1035BFA8-667D-45CD-9066-848351F648EF@kreme.com> <d31d55af-a2ba-33a0-806b-fbd99d9efb9e@quinteiro.org> <D4C84752-C753-44BF-98A8-5F18B8233D19@kreme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 31, 2021 at 3:14 PM @lbutlr <kremels@kreme.com> wrote: > > On 31 Mar 2021, at 12:02, Jose Quinteiro <freebsd@quinteiro.org> wrote: > > I've found passwords checked into public Github repos more than once. I > > don't equate Github with security. > > Have you also found the code necessary to replicate a 2FA token checked in to a GitHub repo? [...] The "official" statement [1] points to a compromise of git.php.net server than any individual account. Potentially poorly maintained infra. They may have simply moved to github to delegate this responsibility of maintaining the infra to github, and potentially simplify access control decisions. Thanks. -ag [1] https://news-web.php.net/php.internals/113838
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC1DtR=8or1H6EyrQY_HuPRuX_-C-aB0LVvXHvOFzWfuAgbmGg>