Lessons from the PHP git repo "hack"
Felix Palmen
felix at palmen-it.de
Wed Mar 31 14:45:26 UTC 2021
* @lbutlr <kremels at kreme.com> [20210331 08:03]:
> On 31 Mar 2021, at 07:58, Felix Palmen <felix at palmen-it.de> wrote:
> > I'd say the lesson is keep your systems updated and pay attention to
> > keep your credentials safe/secret. I don't see how Github would
> > prevent such an incident any better.
>
> That is making an assumption that the people running the php git
> server were incompetent,
Also note this isn't assumed at all.
"Incompetence", that could mean several things, e.g.:
* A committer somehow "leaking" their credentials
* A configuration error on the server
Then, it could be the case the server just wasn't maintained well
enough, which is typically more an issue of time / man power than of
incompetence. The move to Github somehow suggests that the people in
charge might suspect something like this.
And finally, they could also be the victim of some 0day. But then,
moving to Github would hardly reduce the risk.
So, is there any other scenario you have in mind?
--
Dipl.-Inform. Felix Palmen <felix at palmen-it.de> ,.//..........
{web} http://palmen-it.de {jabber} [see email] ,//palmen-it.de
{pgp public key} http://palmen-it.de/pub.txt // """""""""""
{pgp fingerprint} A891 3D55 5F2E 3A74 3965 B997 3EF2 8B0A BC02 DA2A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20210331/7f801f45/attachment.sig>
More information about the freebsd-ports
mailing list