Gentoo's github account compromised
55 views
Skip to first unread message
Chris Laprise
Jun 28, 2018, 7:08:19 PM6/28/18
to qubes...@googlegroups.com
https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002
> Today 28 June at approximately 20:20 UTC unknown individuals have gained
> control of the Github Gentoo organization, and modified the content of
> repositories as well as pages there. We are still working to determine the
> exact extent and to regain control of the organization and its
> repositories.
>
> All Gentoo code hosted on github should for the moment be considered
> compromised. This does NOT affect any code hosted on the Gentoo
> infrastructure. Since the master Gentoo ebuild repository is hosted on our
> own infrastructure and since Github is only a mirror for it, you are fine
> as long as you are using rsync or webrsync from gentoo.org.
>
> Also, the gentoo-mirror repositories including metadata are hosted under a
> separate Github organization and likely not affected as well.
>
> All Gentoo commits are signed, and you should verify the integrity of the
> signatures when using git.
>
> More updates will follow.
>
> -A
I suggested to them on Twitter they might wish to use Qubes tech to help
protect their passwords and keys.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
> Today 28 June at approximately 20:20 UTC unknown individuals have gained
> control of the Github Gentoo organization, and modified the content of
> repositories as well as pages there. We are still working to determine the
> exact extent and to regain control of the organization and its
> repositories.
>
> All Gentoo code hosted on github should for the moment be considered
> compromised. This does NOT affect any code hosted on the Gentoo
> infrastructure. Since the master Gentoo ebuild repository is hosted on our
> own infrastructure and since Github is only a mirror for it, you are fine
> as long as you are using rsync or webrsync from gentoo.org.
>
> Also, the gentoo-mirror repositories including metadata are hosted under a
> separate Github organization and likely not affected as well.
>
> All Gentoo commits are signed, and you should verify the integrity of the
> signatures when using git.
>
> More updates will follow.
>
> -A
I suggested to them on Twitter they might wish to use Qubes tech to help
protect their passwords and keys.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Reply all
Reply to author
Forward
0 new messages