The PHP programming language team has announced its repositories on GitHub are now canonical and changes should be pushed directly to GitHub rather than to

This change follows two malicious commits that were pushed to the php-src repo.

“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the server,” Nikita Popov, an open-source contributor to PHP wrote in a post.

OSI’s statement on Stallman
The Open Source Initiative stated that it is against the reappointment of Richard Stallman to a leadership position at the Free Software Foundation. 

OSI also said that it will not collaborate with the FSF until Stallman is removed from the organization’s leadership. Other organizations such as Red Hat have made similar statements

“Free and open source software will not be accessible to all until it is safe for everyone to participate, and we therefore call upon our peers in the broader software community to join us in making these commitments,” OSI wrote in a post.

Ian Kelling joins FSF board of directors
In its ongoing effort to improve governance at the Free Software Foundation (FSF), the foundation’s union staff selected senior systems administrator Ian Kelling to the newly created seats on the board of directors and voting members.

“This is an important step in the FSF’s effort to recognize and support new leadership, to connect that leadership to the community, to improve transparency and accountability, and to build trust. There is still considerable work to be done, and that work will continue,” Geoffrey Knauth, the FSF president wrote in a post.

Kat Walsh has announced her resignation from the board.

Apache weekly updates
Last week at the Apache Software Foundation saw the release of Apache Karaf 4.2.11, which is a lightweight, powerful, and enterprise ready modulith runtime.

New releases last week also included Qpid JMS 0.57.0, Parquet 1.12.0,  PDFBox 2.0.23, OFBiz 17.12.06 and SpamAssassin 3.4.5. 

Multiple vulnerabilities were found and addressed including an error in PDFBox in which carefully crafted PDFs file can trigger an infinite loop while loading the file or trigger an OutOfMemory-Exception while loading the file.

Also, OFBiz had a RCE vulnerability due to Java serialization using RMI and SpamAssassin had a vulnerability involving malicious rule configuration in which (.cf) files can be configured to run system command.

Additional details on all of the news from the ASF is available here.