The official PHP Git repository has been hacked & the code base tampered with. This has resulted in the decision to discontinue the git.php.net server.
Two malicious “commits” were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server. The hackers had signed off on these commits as if these were made by known PHP developers & maintainers: Rasmus Lerdorf & Nikita Popov.
Writing on the official PHP blog, Nikita said that everything pointed towards a compromise of the git.php.net server (rather than a compromise of an individual git account).
While investigation was underway, it was decided that maintaining git infrastructure was an unnecessary security risk, & so it was decided to discontinue the git.php.net server, said Nikita. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.
While previously write access to repositories was handled through our home-grown karma system, you will now need to be part of the php organization on GitHub. If you are not part of the organization yet, or don’t have access to a repository you should have access to, contact me at nikic@php.net with your php.net and GitHub account names, as well as the permissions you’re currently missing. Membership in the organization requires 2FA to be enabled. This change also means that it is now possible to merge pull requests directly from the GitHub web interface.
Nikita
