Hacked: Github service from Gentoo

Completely and utterly unrelated.

Moderators: raboof, MattKingUSA, khz

Post Reply
User avatar
khz
Established Member
Posts: 1648
Joined: Thu Apr 17, 2008 6:29 am
Location: German
Has thanked: 42 times
Been thanked: 92 times

Hacked: Github service from Gentoo

Post by khz »

. . . FZ - Does humor belongs in Music?
. . GNU/LINUX@AUDIO ~ /Wiki $ Howto.Info && GNU/Linux Debian installing >> Linux Audio Workstation LAW
  • I don't care about the freedom of speech because I have nothing to say.
User avatar
protozone
Established Member
Posts: 181
Joined: Tue May 08, 2018 9:02 pm
Contact:

Re: Hacked: Github service from Gentoo

Post by protozone »

Whoah, that's kinda rather very not good!
I have been told that Gentoo is historically resilient against certain types of malware/hacks/exploits.
I haven't yet used it, so I don't know much about that though.
But I get a bad feeling about that news.

It "dovetails" with the Microsoft acquisition.
Microsoft products have a reputation of being vulnerable to malware/hacks/exploits/adware/spyware/ransomware/annoyances.
People messing with programmers's stuff makes me nervous.
But all hell broke loose when VAULT 7 happened.

So it's still sorta "water under the bridge" (a torrential flow).
Thanks for the news.
I'm gonna have to tell a friend of mine about this.
tux99
Established Member
Posts: 346
Joined: Fri Sep 28, 2012 10:42 am
Contact:

Re: Hacked: Github service from Gentoo

Post by tux99 »

This is nowhere near as bad as you seem to think. Quoting from the announcement:
This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.
User avatar
protozone
Established Member
Posts: 181
Joined: Tue May 08, 2018 9:02 pm
Contact:

Re: Hacked: Github service from Gentoo

Post by protozone »

@Tux,

Yeah, i agree with you; it's not that bad as people might assume.
But it still makes me nervous because it implies attempts to mess with Gentoo.
I know hackers good and bad try to tinker or destroy just about anything n everything, but it's still noteworthy for certain fields of use/concern.

Some others act like Linux is not vulnerable like M$ windoze or App Mac iOS, or Android, ZTE, etc.
But I feel like we all (the whole world, pretty much) have a case of The Emperor's New Clothes.

I wish the linux community would just be more emphatic of how to more easily be secure and instead of mystifying or demystifying, just do more than privide security patches. It'd be nice if everything was nailed down with a user-friendly newbie-friendly expert-friendly toolset that was always signed.

But of course our BIOS/firmware dowloads aren't even checksummed or signed and usually require access via M$ windoze exe's or similar. By this I mean, all computer users regardless of OS, mostly.

All it takes culturally is a peek under the hood into Mozilla FireFox and all the mainstream others to know that internet security is largely a hoax.
I remember when i saw my kids interactively using the computer webcam for an online game even though i had just manually disabled the webcam in all available settings for Mac OS and flash and javastuff. It was a stinging reminder that "they" will get thru no matter what. And to make matters worse, the online game used facial recognition algorithms too, and the kids were playing unsupervised until i walked in. (They aren't actually "my kids" but i care about em and try to protect em from stuff when i can).

Who verifies the CA's, for exmple? How do we know that every Certificate Authority isn't actually just a man-in-the-middle attack established as norm? And who would validate the validators?

Applied computer science is becoming more and more like pathogenic microbiology and dirty politics.
Part of why i enjoy music, is because the final validation is only if the final draft sounds good to my own ears or not, and hopefully to most others too.
But i dont like the idea of my DAW being part of a botnet being used by anybody anywhere to do just about anything.
User avatar
khz
Established Member
Posts: 1648
Joined: Thu Apr 17, 2008 6:29 am
Location: German
Has thanked: 42 times
Been thanked: 92 times

Re: Hacked: Github service from Gentoo

Post by khz »

The following repositories received malicious commits, which have been reset back to a known good state:

https://github.com/gentoo/gentoo - mirror of https://gitweb.gentoo.org/repo/gentoo.git/
https://github.com/gentoo/musl - mirror of https://gitweb.gentoo.org/proj/musl.git/
https://github.com/gentoo/systemd - mirror w/ branches from upstream systemd https://github.com/systemd/systemd
https://infra-status.gentoo.org/notice/20180629-github

Only few repositories! (Many distributions use repositories.)

NO PANIC!

How quickly the Gentoo Devs realized that,
how quickly (RT) they report,
Solving problems,
~take up pursuit of the assailant, ...
is remarkable!
Thanks to all developers!
. . . FZ - Does humor belongs in Music?
. . GNU/LINUX@AUDIO ~ /Wiki $ Howto.Info && GNU/Linux Debian installing >> Linux Audio Workstation LAW
  • I don't care about the freedom of speech because I have nothing to say.
User avatar
protozone
Established Member
Posts: 181
Joined: Tue May 08, 2018 9:02 pm
Contact:

Re: Hacked: Github service from Gentoo

Post by protozone »

Thanks, that's somewhat of a relief.
Post Reply