Date: Wed, 31 Mar 2021 07:47:01 -0600 From: "@lbutlr" <kremels@kreme.com> To: FreeBSD <freebsd-ports@freebsd.org> Subject: Lessons from the PHP git repo "hack" Message-ID: <6314D726-F55D-4374-AB63-B17B7B3E4D14@kreme.com>
next in thread | raw e-mail | index | archive | help
As you may know, PHP has decided to move their repo to GitHub after an = unauthorized "hack" was committed to PHP. I say "hack" because it appears the code was intentionally obvious and = went to some lengths to draw attention to itself, so it appears someone = did this to highlight issues with the private git repo rather than a = real attempt to hack. These changes were made under authorized accounts = despite a 2FA system and it's unclear at this point how access was = gained. The current Gihub, which was a mirror only, will be the primary repo = going forward and the php git server will be retired. Which brings me to the reason for this post, as it seems that the ports = collection of FreeBSD 13.x will be in the same position, running a = private git server network and using GitHub as a mirror and I wonder if = some lessons from php's experience with this should be considered for = this setup before it's implemented. I'm not linking to stories about this because all the ones I can find = are clickbait frothing panic-inducing nonsense rather than looking at = what actually happened. Maybe Krebs will post something soon. --=20 Turning and turning in the widening gyre The falcon cannot hear the falconer;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6314D726-F55D-4374-AB63-B17B7B3E4D14>