back to article Et tu, Gentoo? Horrible gits meddle with Linux distro's GitHub code

If you have fetched anything from Gentoo's GitHub-hosted repositories today, dump those files – because hackers have meddled with the open-source project's data. The Linux distro's officials sounded the alarm on Thursday, revealing someone managed to break into its GitHub organization account to modify software and webpages …

  1. LordHighFixer

    Everything is better in the cloud?

    Score one for hosting your own critical infrastructure.

    1. Jim Mitchell

      Re: Everything is better in the cloud?

      https://www.computerworld.com/article/2573071/cybercrime-hacking/debian-project-servers-hacked.html

      1. Daggerchild Silver badge

        Re: Everything is better in the cloud?

        Remember breaching the package storage isn't the same as breaching the package signing system (not that I can tell which is involved from the aboves).

    2. Anonymous Coward
      Anonymous Coward

      Now that GitHub is a M$-shop, another step of M$ EEE strategy. Reason: Gentoo is a systemd hold-out.

      Gentoo is one of the few Linux distros not infected by systemd.

      Systemd is M$ evil EEE Linux master plan, they "sponsor" RedHat, SUSE, Canonical, etc. In case a distros doesn't obey, they threat them to sue them out of business, Mafia-style business methods.

      Now that M$ bought GitHub, M$ changed the source code of Gentoo. Unfortunately, some found out about mismatching files, and good that Gentoo has their own servers with the original Git repo.

      1. elip

        Re: Now that GitHub is a M$-shop

        Gentoo hopped on systemd as soon as every other distro. The only difference with their effort, as always, is they provide you choice and an easy method of running without it.

    3. MatthewSt

      Re: Everything is better in the cloud?

      This won't be GitHub being hacked, this will be someone's account being used. Wouldn't make any difference whether it was on-prem or in the cloud

  2. onefang
    Trollface

    Can we blame Microsoft yet? Can we, can we? Huh, can we pleeeease?

    1. JakeMS
      Go

      Soon! Hopefully!

  3. kneedragon

    ... so micr0$0ft just bought it, then ...

  4. Nick Kew

    No chain of trust?

    If you happened to download a fresh .iso, and have no or inadequate connection to the Strong Set, then you have a bootstrap problem.

    Anyone else should surely be protected by a chain of trust leading at the very least back to what they originally installed, and supported by signatures within the Strong Set.

    Or are you suggesting that (of all things) a techie-oriented Linux distro has no basic security in its distribution? That Gentoo is doing the spooks' bidding by laying itself wide open to the insertion of spyware, government-sanctioned or otherwise?

    1. phuzz Silver badge

      Re: No chain of trust?

      From TFA:

      "Since the master Gentoo ebuild repository is hosted on our own infrastructure and since GitHub is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org," Warner said."

      So yeah, there's a chain of trust, unless you chose not to follow it and to download from Github instead.

      1. Nick Kew

        Re: No chain of trust?

        Where you download from should have very little bearing on security. A cryptographic chain of trust works just as well with something off the back of a lorry as with the most trusted origin.

        I wouldn't rely on a "gentoo.org" address for my security: that would open me to any number of attack vectors. Verifiable PGP signatures of verifiable gentoo personnel work altogether better.

        1. Fibbles

          Re: No chain of trust?

          Where are you planning to get those PGP signatures if not gentoo.org?

  5. TVU

    As Mr C from the Shamen said on the Ebeneezer Goode track, "Naughty, naughty, very naughty!".

    I hope the culprit is identified and named, shamed and prosecuted.

  6. Anonymous Coward
    Anonymous Coward

    Laughable .... are we really expected to trust a distro that can't keep itself secure?

  7. cuvtixo

    Where's Hardened Gentoo when needed?

    Is it a coincidence that " Hardened Gentoo" seems to have been languishing since at least Jan 2016? https://wiki.gentoo.org/wiki/Talk:Hardened_Gentoo - a question about documentation ("what is 'cd grub?'") was responded to, but not answered. A second "discussion" was started in Dec 2017 about the need for updates to the wiki page. Now, I understand much or all of the work of this project has migrated or been subsumed into Gentoo's SELinux, but the old stuff has been left dangling in the wind, as it were. Disinterest seems to have affected, or infected!, the Gentoo project! What is going on there?

    1. onefang

      Re: Where's Hardened Gentoo when needed?

      My guess is the developer community got split with the Funtoo fork, but I've not been following things in Gentoo land.

    2. randon8154

      Re: Where's Hardened Gentoo when needed?

      musl hardened profile, update several time a week

      https://wiki.gentoo.org/wiki/Project:Hardened_musl

      - What is going on there?

      Don't known what to reply... wiki.gentoo, forums.gentoo will help you.

  8. Rogerborg 2.0

    Individuals, plural?

    How do they know that it wasn't just one people?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020