On Wed, 10 Jul 2024, Roman Pronskiy wrote:
3. Deployment Process
Recently, there was an incident with a code block pushed to the
website accidentally: Add analytics tracker for self-hosted Matomo by derickr · Pull Request #1021 · php/web-php · GitHub. It was
promptly reverted, but the case highlighted a potential security risk:
It wasn't an *accident* that I pushed it. Only people with commit access
to php-web can push things, and that isn't a large list of people.
It is the RMs: Sign in to GitHub · GitHub
and web-team: Sign in to GitHub · GitHub
Each has 13 members, but there are some overlaps.
The deploy scripts are all part of php-systems, of which only the
repository owners can commit to, and web-master, which only the above
mentioned web-team can commit to.
unauthorized modifications could go unnoticed, potentially affecting
all visitors of the php.net website worldwide. In theory, malicious
code could be added to the server directly if access is compromised,
with high chances of being unnoticed.
All commits to web-php and web-master are emailed to a mailinglist:
php.webmaster mailing list which I actively monitor.
We can probably improve on this this, but this is all pretty tight,
moreso than committing random things to the PHP source repository.
cheers,
Derick
On Thu, Jul 11, 2024, at 6:54 AM, Derick Rethans wrote:
On Wed, 10 Jul 2024, Roman Pronskiy wrote:
3. Deployment Process
Recently, there was an incident with a code block pushed to the
website accidentally: Add analytics tracker for self-hosted Matomo by derickr · Pull Request #1021 · php/web-php · GitHub. It was
promptly reverted, but the case highlighted a potential security risk:
It wasn't an *accident* that I pushed it. Only people with commit access
to php-web can push things, and that isn't a large list of people.
It is the RMs: Sign in to GitHub · GitHub
and web-team: Sign in to GitHub · GitHub
Each has 13 members, but there are some overlaps.
These aren't public. The only public info appears to be the members of the PHP organization on GitHub, and I think something needs to be done to make the teams and roles (owner, moderator, etc) public information. This could probably be scripted and automated because it looks like it's not just a matter of flipping a switch somewhere on the GitHub side.
Jim
On 11/07/2024 18:38, Jim Winstead wrote:
On Thu, Jul 11, 2024, at 6:54 AM, Derick Rethans wrote:
On Wed, 10 Jul 2024, Roman Pronskiy wrote:
3. Deployment Process
Recently, there was an incident with a code block pushed to the
website accidentally: Add analytics tracker for self-hosted Matomo by derickr · Pull Request #1021 · php/web-php · GitHub. It was
promptly reverted, but the case highlighted a potential security risk:
It wasn't an *accident* that I pushed it. Only people with commit access
to php-web can push things, and that isn't a large list of people.
It is the RMs: Sign in to GitHub · GitHub
and web-team: Sign in to GitHub · GitHub
Each has 13 members, but there are some overlaps.
These aren't public. The only public info appears to be the members of the PHP organization on GitHub, and I think something needs to be done to make the teams and roles (owner, moderator, etc) public information. This could probably be scripted and automated because it looks like it's not just a matter of flipping a switch somewhere on the GitHub side.
Jim
Note that even the members aren't public information.
GitHub allows you, as a user, to hide to which organizations you belong.
(Follow ups to this should probably go to php-webmaster@lists.php.net
only, and no longer internals@)
On Thu, 11 Jul 2024, Jim Winstead wrote:
On Thu, Jul 11, 2024, at 6:54 AM, Derick Rethans wrote:
>
> It is the RMs: Sign in to GitHub · GitHub
> and web-team: Sign in to GitHub · GitHub
>
> Each has 13 members, but there are some overlaps.
These aren't public. The only public info appears to be the members of
the PHP organization on GitHub, and I think something needs to be done
to make the teams and roles (owner, moderator, etc) public
information. This could probably be scripted and automated because it
looks like it's not just a matter of flipping a switch somewhere on
the GitHub side.
I thought they were public.
I also had a look, and there is no switch anywhere.
Going forward, Roman and I have been speaking about getting a more
formal group together here (php-webmaster@) that makes decisions here,
as ad-hoc commits to PHP's website are as much of an issue than ad-hoc
commits to its source code.
cheers,
Derick
--
https://derickrethans.nl | https://xdebug.org | https://dram.io
Author of Xdebug. Like it? Consider supporting me: Xdebug: Support
mastodon: @derickr@phpc.social @xdebug@phpc.social