Page 1 of 1

Hacked: Github service from Gentoo

Posted: Fri Jun 29, 2018 2:54 pm
by khz

Re: Hacked: Github service from Gentoo

Posted: Fri Jun 29, 2018 9:13 pm
by protozone
Whoah, that's kinda rather very not good!
I have been told that Gentoo is historically resilient against certain types of malware/hacks/exploits.
I haven't yet used it, so I don't know much about that though.
But I get a bad feeling about that news.

It "dovetails" with the Microsoft acquisition.
Microsoft products have a reputation of being vulnerable to malware/hacks/exploits/adware/spyware/ransomware/annoyances.
People messing with programmers's stuff makes me nervous.
But all hell broke loose when VAULT 7 happened.

So it's still sorta "water under the bridge" (a torrential flow).
Thanks for the news.
I'm gonna have to tell a friend of mine about this.

Re: Hacked: Github service from Gentoo

Posted: Fri Jun 29, 2018 10:31 pm
by tux99
This is nowhere near as bad as you seem to think. Quoting from the announcement:
This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.

Re: Hacked: Github service from Gentoo

Posted: Sat Jun 30, 2018 1:37 am
by protozone
@Tux,

Yeah, i agree with you; it's not that bad as people might assume.
But it still makes me nervous because it implies attempts to mess with Gentoo.
I know hackers good and bad try to tinker or destroy just about anything n everything, but it's still noteworthy for certain fields of use/concern.

Some others act like Linux is not vulnerable like M$ windoze or App Mac iOS, or Android, ZTE, etc.
But I feel like we all (the whole world, pretty much) have a case of The Emperor's New Clothes.

I wish the linux community would just be more emphatic of how to more easily be secure and instead of mystifying or demystifying, just do more than privide security patches. It'd be nice if everything was nailed down with a user-friendly newbie-friendly expert-friendly toolset that was always signed.

But of course our BIOS/firmware dowloads aren't even checksummed or signed and usually require access via M$ windoze exe's or similar. By this I mean, all computer users regardless of OS, mostly.

All it takes culturally is a peek under the hood into Mozilla FireFox and all the mainstream others to know that internet security is largely a hoax.
I remember when i saw my kids interactively using the computer webcam for an online game even though i had just manually disabled the webcam in all available settings for Mac OS and flash and javastuff. It was a stinging reminder that "they" will get thru no matter what. And to make matters worse, the online game used facial recognition algorithms too, and the kids were playing unsupervised until i walked in. (They aren't actually "my kids" but i care about em and try to protect em from stuff when i can).

Who verifies the CA's, for exmple? How do we know that every Certificate Authority isn't actually just a man-in-the-middle attack established as norm? And who would validate the validators?

Applied computer science is becoming more and more like pathogenic microbiology and dirty politics.
Part of why i enjoy music, is because the final validation is only if the final draft sounds good to my own ears or not, and hopefully to most others too.
But i dont like the idea of my DAW being part of a botnet being used by anybody anywhere to do just about anything.

Re: Hacked: Github service from Gentoo

Posted: Sat Jun 30, 2018 6:48 am
by khz
The following repositories received malicious commits, which have been reset back to a known good state:

https://github.com/gentoo/gentoo - mirror of https://gitweb.gentoo.org/repo/gentoo.git/
https://github.com/gentoo/musl - mirror of https://gitweb.gentoo.org/proj/musl.git/
https://github.com/gentoo/systemd - mirror w/ branches from upstream systemd https://github.com/systemd/systemd
https://infra-status.gentoo.org/notice/20180629-github

Only few repositories! (Many distributions use repositories.)

NO PANIC!

How quickly the Gentoo Devs realized that,
how quickly (RT) they report,
Solving problems,
~take up pursuit of the assailant, ...
is remarkable!
Thanks to all developers!

Re: Hacked: Github service from Gentoo

Posted: Sat Jun 30, 2018 11:42 pm
by protozone
Thanks, that's somewhat of a relief.