When the first malicious commit was made under Rasmus’ name, my initial
reaction was to revert the change and revoke commit access for Rasmus’
account, on the assumption that this was an individual account compromise.
In hindsight, this action didn’t really make sense, because there was (at
the time) no reason to believe that the push occurred through Rasmus’
account in particular. Any account with access to the php-src repository
could have performed the push under a false name.
Read more: https://externals.io/message/113981