Lessons from the PHP git repo "hack"

[@lbutlr]

As you may know, PHP has decided to move their repo to GitHub after an unauthorized "hack" was committed to PHP.

I say "hack" because it appears the code was intentionally obvious and went to some lengths to draw attention to itself, so it appears someone did this to highlight issues with the private git repo rather than a real attempt to hack. These changes were made under authorized accounts despite a 2FA system and it's unclear at this point how access was gained.

The current Gihub, which was a mirror only, will be the primary repo going forward and the php git server will be retired.

Which brings me to the reason for this post, as it seems that the ports collection of FreeBSD 13.x will be in the same position, running a private git server network and using GitHub as a mirror and I wonder if some lessons from php's experience with this should be considered for this setup before it's implemented.

I'm not linking to stories about this because all the ones I can find are clickbait frothing panic-inducing nonsense rather than looking at what actually happened.

Maybe Krebs will post something soon.

-- 
Turning and turning in the widening gyre
The falcon cannot hear the falconer;