Follow

"Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo"

In related news, PHP switches to hosting their repositories on GitHub.

news-web.php.net/php.internals

@fribbledom I mean as long as I dont need a github account to participate thats ok.
I'm honestly concerned about that monoculture on github.

@fabiscafe
I'm sure you'd need a GitHub account if you'd want to contribute. But then again, you would have needed to be part of the PHP team before as well
@fribbledom

@sexybiggetje @fribbledom
Having a dependency on one proprietary service provider always enslaves you to the rules of this ones system. That shouldnt be a thing for opensource software.

For example if some country now decides to block US services, you will not be able to contribute to PHP anymore, merely because they depend only on github instead of an independent, self hosted service.

@fabiscafe
I'm pretty sure that git itself is decentralised by it's nature. One could just make a copy on another service and push to it. Just the management for releases is centralised. I don't see much of a problem at the moment. Note the word much in there
@fribbledom

@sexybiggetje With mercurial, you can create a "bundle" which consists of just chosen commits. On the receiving end, they can pull those commits in as if the bundle were a full clone. Does git do something like that?

@sexybiggetje Cherry picking exports a file? I thought it was just for destroying your compatibility with upstream. Maybe I'm thinking of rebasing.

@travisfw
Maybe I'm not understanding your question correctly :) that's quite possible as well

@travisfw
Do you mean creating a patch file of specific commits? Those could just be done by Exporting git diff for specific commits to a file

@sexybiggetje I guess so, but the `hg bundle` command creates a binary file, not text you could potentially edit. And is easy to pull from. But also, pulling in mercurial doesn't update the bookmark (branch), or working directory. So in hg workflow, you often compare incoming commits after pulling, not before. Which means git users probably don't do things like this, huh?

@travisfw
No I don't think there is a direct equivalent function in git then

@travisfw
Actually there is. Never know this or used it :)

"Git - git-bundle Documentation" git-scm.com/docs/git-bundle

@sexybiggetje @travisfw

I think what’s being described here is most like git format-patch

https://www.git-tower.com/learn/git/faq/create-and-apply-patch/

git can also create a patch from a set of commits and email it.

https://git-send-email.io/

Lots of options for creating patches and then applying them.

@sexybiggetje @fribbledom
Sure. It's not about git, git is great. But lets say I could clone it and push my changes to my private gitlab instance. How will they go upstream without github account, maybe even under consideration of the worst scenario where github is blocked by my country?

@fabiscafe
I understand. That's not possible. But I don't see much problems in that when offsetted to the point of maintenance/upkeep they have to do.

You provide a valid problem, but the same could happen to for instance hosted gitlab. Hosting over multiple vendors is an admin nightmare as well. So the only way is to self host. Which could ofcourse also be blocked.

Short summary: I don't think there is a perfect solution that satifies all problems.
@fribbledom

@fribbledom
Horrific. Ideally need to find a way to get commit signing to be required, and enforce specified public key, so at least compromising undetected is much harder.

If git host is pwnd they could still swap out public key, but then interface should show past commits as unverified etc. and that kind of key change should be broadcast. Also can check against public keyserver so could detect suspicious changes, and disallow commits that don't match.

How else do you verify identity?

@sammorrowdrums @fribbledom good point. It's surprising that popular projects don't consider using signed commits as an important safeguard.

@fribbledom Putting Microsoft in control will surely fix our security problems...said no intelligent and sane being ever...

@fribbledom The real question is how they managed to tell the difference between a malicious and legitimate commit in php. Presumably their suspicions were raised when the code quality unexpectedly went up.

@fribbledom Terrible! Not only were they hacked, but also their response is to subjugate their development community to Microsoft!

(One wonders if Microsoft wasn't actually behind it all)

@fribbledom I can't understand the "news' around it? Completely normal, the next "news" is that someone else fixed it. Wow, usual work of a developer.

@roland

I think you're misunderstanding this. It's certainly not normal that someone commits exploits under the project maintainer's name.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!