Re: Website php.net updates and coordination

From: Date: Thu, 11 Jul 2024 13:54:23 +0000
Subject: Re: Website php.net updates and coordination
References: 1  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
On Wed, 10 Jul 2024, Roman Pronskiy wrote:

> 3. Deployment Process
> Recently, there was an incident with a code block pushed to the
> website accidentally: https://github.com/php/web-php/pull/1021. It was
> promptly reverted, but the case highlighted a potential security risk:

It wasn't an *accident* that I pushed it. Only people with commit access 
to php-web can push things, and that isn't a large list of people.

It is the RMs: https://github.com/orgs/php/teams/release-managers
and web-team: https://github.com/orgs/php/teams/web-team

Each has 13 members, but there are some overlaps.

The deploy scripts are all part of php-systems, of which only the 
repository owners can commit to, and web-master, which only the above 
mentioned web-team can commit to.

> unauthorized modifications could go unnoticed, potentially affecting
> all visitors of the php.net website worldwide. In theory, malicious
> code could be added to the server directly if access is compromised,
> with high chances of being unnoticed.

All commits to web-php and web-master are emailed to a mailinglist: 
https://news-web.php.net/php.webmaster which I
actively monitor.

We can probably improve on this this, but this is all pretty tight, 
moreso than committing random things to the PHP source repository.

cheers,
Derick

Thread (9 messages)

« previous php.internals (#124390) next »