Announcement

Collapse
No announcement yet.

PHP's Git Server Compromised, Now Switching To GitHub

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • PHP's Git Server Compromised, Now Switching To GitHub

    Phoronix: PHP's Git Server Compromised, Now Switching To GitHub

    The PHP programming language's self-hosted Git server was compromised on Sunday and two malicious commits introduced...

    https://www.phoronix.com/scan.php?pa...it-Compromised

  • #2
    Let's have a dozen comments how GitHub is owned and run by an evil anti-open-source company.

    Comment


    • #3
      Originally posted by birdie View Post
      Let's have a dozen comments how GitHub is owned and run by an evil anti-open-source company.
      Do you disagree with that statement or are annoyed by people complaining about github?

      Comment


      • #4
        Lets have a dumb naive comment on how putting all your eggs in someone elses server (especially Microsoft's) is a good idea.

        Edit: Oh, birdie beat me to it

        Now Microsoft is the only malicious entity that can sabotage the PHP source (Edit: of course there are still others. But Microsoft is the worst!).
        Last edited by kpedersen; 29 March 2021, 02:44 PM.

        Comment


        • #5
          Originally posted by kpedersen View Post
          Lets have a dumb naive comment on how putting all your eggs in someone elses server (especially Microsoft's) is a good idea.

          Edit: Oh, birdie beat me to it

          Now Microsoft is the only malicious entity that can sabotage the PHP source.
          Well it is not like they are stuck on GitHub and have vendor-lock in. Git is distributed, so it is just one host, they can easily just migrate to GitLab or some other host if they want to.

          Comment


          • #6
            Originally posted by kpedersen View Post
            Lets have a dumb naive comment on how putting all your eggs in someone elses server (especially Microsoft's) is a good idea.

            Edit: Oh, birdie beat me to it

            Now Microsoft is the only malicious entity that can sabotage the PHP source.
            Git is written such a way it's impossible to sabotage it unless you have near infinite computational resources.

            Git, after all, was one of the first implementations of blockchain long before Satoshi came up with Bitcoin.

            Originally posted by uid313 View Post

            Well it is not like they are stuck on GitHub and have vendor-lock in. Git is distributed, so it is just one host, they can easily just migrate to GitLab or some other host if they want to.
            Exactly.

            Comment


            • #7
              Originally posted by uid313 View Post
              Well it is not like they are stuck on GitHub and have vendor-lock in. Git is distributed, so it is just one host, they can easily just migrate to GitLab or some other host if they want to.
              In all fairness, I hope they do. Mirror the Git repo to all (GitLab, BitBucket and private local) and cross check between each periodically. I don't trust Microsoft in a number of ways. Their incompetence with security is probably most relevant for this however.

              This is further exacerbated by the fact that Git doesn't enforce a user account system so it is very easy to impersonate other users simply changing the user.name and user.email. The only solution for this is a commit hook which I don't believe Microsoft will implement.

              https://stackoverflow.com/questions/...f-another-user

              Which means we are at the whims of that dumb oauth stuff that Microsoft is faffing around with on GitHub or (hopefully) public SSH keys that I am sure Microsoft will accidentally forget to authenticate / challenge against when push comes to shove. Perhaps they will cite improved performance if they "skip that key nonsense" haha

              Comment


              • #8
                Originally posted by kpedersen View Post

                In all fairness, I hope they do. Mirror the Git repo to all (GitLab, BitBucket and private local) and cross check between each periodically. I don't trust Microsoft in a number of ways. Their incompetence with security is probably most relevant for this however.
                In all fairness Microsoft has been managing security updates recently quite well and I haven't heard that their infrastructure has been compromised lately or ever.

                Meanwhile Open Source projects get compromised on a monthly basis if not more often.

                Perhaps you need to see the world as it is, not as you believe it is.

                Comment


                • #9
                  Originally posted by birdie View Post

                  In all fairness Microsoft has been managing security updates recently quite well
                  Other than a certain critical MS Exchange security flaw that has been running rampant for organizations for the last month?

                  https://practical365.com/microsoft-i...change-server/

                  I think around 5 universities in the UK have been compromised because of this mess. The trick is to not be incompetent and to try to avoid needing the security updates in the first place.

                  Comment


                  • #10
                    Originally posted by birdie View Post

                    ... Microsoft ... I haven't heard that their infrastructure has been compromised lately or ever....
                    You don't consider RCE's a likely compromise ?

                    eg; CVE-2019-1372
                    Last edited by elatllat; 29 March 2021, 08:29 AM.

                    Comment

                    Working...
                    X