It's git so it's secure. but the repository is not the target.

""" One thing I always wondered was if a source repository is hacked and its contents modified, what is there to stop them modifying the list of hashes too? """"

Nothing. But that won't stop it from being detected.

Kernel.org folks are using 'git' for source control management. It's completely distributed system. Each person that uses git to fetch source code from kernel.org downloads the full repository. Checksums and all.

So the attackers cannot go back and change the history of the source code without being detected. Not unless they manage to hack every person that has downloaded the source code in the past... which is hundreds of thousands of people.

Their target wouldn't be the source code. Their target would be to gain access to the developer's machines by monitoring their activity and recording their passwords.

So if they do anything like:

* Use the same passwords for multiple systems

* Use 'scp' or 'sftp' to copy data from the server to their workstation (inputting their passwords in the process) or other machine. That is if they 'push' the data from a ssh session on the compromised system instead of 'pulling' it.

* Ssh to the compromised machine then from that session ssh to others...

And things like that. That sort of thing is very common bad habits used by SSH users.

Once the developer's machine is compromised then the attacker gains access to signing keys in emails and that developer's private git branch (that nobody else pulls from). From there they can intercept and modify patches submitted to mailing lists, inject vulnerabilities into the developer's source code and things of that nature.

THAT is how you compromise the Linux source code. Piggy back on legit patches and hope people don't audit them too closely... which given the history of Linux development is quite likely.

One particularly irritating thing is this statement:

"""“It's sort of surprising,” said Jon Oberheide, one of the Linux security researchers briefed on the breach. “If this was a very sophisticated attack, it's very unlikely that the attackers would use an off-the-shelf rootkit like Phalanx. Normally if you were to target a high-value target you would potentially use something that's more more tailored to your specific target, something that's not going to be flagged or potentially detected.”"""

Hey, fuckwit. Use your brain.

Why the hell would they use custom software to hack kernel.org when:

A) Off the shelf open source software works well enough (why would they want to make it harder?)

and

B) the kernel.org is not the main target.. it's a proxy to gain access to developer's vulnerable system.

THEN when they gain access to the vulnerable developer systems they will use their secret techniques to consolidate control over those systems in a undetected manner.

Moron developers, who think they know much more then they really do about security, will just download some shit 'root kit detection' software and say:

"NO Phalanx here!! The shit root kit detector says so. So even though I used the same shit password everywhere, and I ssh'd from the compromised systems back to my workstation and other people's computers... I am ALL SAFE. I now can stop paying attention!!! Yay!"

Then once people 'resecure' kernel.org it will just get hacked again, and again, and again. This time using much stealthier techniques.

Wipe the fucking systems.

Don't let people ssh to them anymore.

Don't let people have shells on them.

Don't let people use their ssh keys with them.

Don't let people choose shit passwords.

etc etc.

The only way to "secure" the system is to eliminate the chances that some tard open source developer is too lazy to use proper security on their machines.

So irritating.