1 |
El 29/06/18 a las 03:55, Duane Robertson escribió: |
2 |
> On Thu, 28 Jun 2018 23:15:36 +0200 |
3 |
> "Francisco Blas Izquierdo Riera (klondike)" <klondike@g.o> wrote: |
4 |
> |
5 |
>> Hi! |
6 |
>> |
7 |
>> I just want to notify that an attacker has taken control of the Gentoo |
8 |
>> organization in Github and has among other things replaced the portage |
9 |
>> and musl-dev trees with malicious versions of the ebuilds intended to |
10 |
>> try removing all of your files. |
11 |
>> |
12 |
>> Whilst the malicious code shouldn't work as is and GitHub has now |
13 |
>> removed the organization, please don't use any ebuild from the GitHub |
14 |
>> mirror ontained before 28/06/2018, 18:00 GMT until new warning. |
15 |
>> |
16 |
>> Sincerely, |
17 |
>> Francisco Blas Izquierdo Riera (klondike) |
18 |
>> Gentoo developer. |
19 |
>> |
20 |
>> |
21 |
> Is it at all likely that any signing keys have been compromised? I |
22 |
> can't think of how that would happen, but I don't know much about the |
23 |
> situation. |
24 |
> |
25 |
If you mean the release signing key the answer is a clear no according |
26 |
to infra's forensics. If you mean specific developers' keys it is |
27 |
unlikely but not fully impossible as we still don't know how the |
28 |
attackers got hold of the compromised accounts. |