Helping the PHP Community Strengthen its Security Posture
Posted April 2, 2021 by Bishop Bettini ‐ 2 min read
LifeOmic is committed to open source, so we shared our quick-start guide to signing commits following a breach of the PHP source code repository. LifeOmic was not affected by this breach.
On Sunday, March 28th, 2021, two malicious commits were published into the primary source code repository for the PHP language. Fortunately, several eagle-eyed reviewers caught this attack before being released into the wild. That’s a good thing, since 80% of the web runs on PHP.
PHP has long run its own infrastructure, including a Git server. Migrating to a cloud service was never really considered, for a variety of reasons, most of which boiled down to “what we have is working, let’s not waste resources moving and instead just keep putting out features.”
Well, it was only a matter of time: the infrastructure was compromised. What’s amazing about the open source community was how transparent the response was. Within 24 hours, the incident was announced to the world and the decision was made to switch over to GitHub. While the move will take a while to complete and upcoming planned releases will be delayed, this was absolutely the right move to secure the supply chain.
PHP developers called for commit signing, which is where LifeOmic got involved. We use commit signing, because it’s a simple, transparent way to stop bad actors from denying responsibility for malicious changes. GitHub integrates fully with signed commits, allowing branches and repositories to receive commits only when signed by verified sources, so it’s really a no-brainer from a security standpoint.
Setting up signed commits isn’t an obvious thing, but we have built up internal documentation on how to do it. Our documentation has been “field tested” on the whole of our dev team, so it’s pretty solid for a variety of use cases. So we adapted and shared our documentation to help PHP developers quickly begin signing commits as part of their git flow.
The PHP community has made some useful suggestions that we can incorporate back into our internal documentation. As a business that relies on and is committed to open source, this is really a win-win situation. When everyone contributes to the security the community, everyone’s posture improves.
The adapted documentation is available at: https://wiki.php.net/vcs/commit-signing
Updated on September 23, 2021 to note that LifeOmic was not impacted by this event.