Ghostboard pixel Skip to content

PHP Repository Moves to GitHub After its Git Server Was Hacked

PHP powers the majority of web services and applications. It is an open-source scripting language which also happens to be a server-side programming language.

Both It’s FOSS and the news portal is also powered by PHP (considering WordPress’s core).

However, in a shocking incident, it seems that PHP’s own Git server infrastructure was hacked and two malicious commits were made as backdoors to PHP’s source code.

PHP Git Server Hacked to Insert Backdoors

Recently, it was spotted that two malicious commits were made claiming it was from PHP’s creator Rasmus Lerdorf and contributor Nikita Popov.

The commits were quickly reverted with an hour of lifespan. Even we know that malicious codes as backdoors were introduced to PHP’s source code, it is highly unlikely that it affected any live PHP-powered server.

Most of the web servers (or operating systems) tend to update PHP after rigorous testing. And, in some cases, reviewing the code and look for bugs before making any change.

However, it was still a major breach and needs thorough investigation which seems to be ongoing.

PHP Repository Moved to GitHub

PHP maintainers realized that it was no longer viable to have their Git server while having the security risk.

Of course, it’s not impossible to tackle such issues in the future, but it seems that they no longer want to (and) do not have enough funds to improve their current infrastructure.

So, they decided to discontinue the server and move the repository to GitHub instead.

If you are a contributor, now you need to be a part of PHP organization on GitHub in order to have write access to the repository. Here’s what Nikita mentioned in their official announcement:

While previously write access to repositories was handled through our home-grown karma system, you will now need to be part of the php organization on GitHub. If you are not part of the organization yet, or don’t have access to a repository you should have access to, contact me at [email protected] with your and GitHub account names, as well as the permissions you’re currently missing. Membership in the organization requires 2FA to be enabled

I think that’s definitely a good decision.

Not just limited to the move to GitHub, the community also wants to encourage cryptographic signing to commits.

Even Rasmus Lerdorf likes the idea of it and mentioned that the source commits can follow that, but it could be made optional for documentation and other repos for now.

What do you think about PHP’s repository now being on GitHub? Feel free to share your thoughts in the comments below.

More from It's FOSS...