Gentoo Archives: gentoo-announce

From: Alec Warner <antarus@g.o>
To: gentoo-announce@l.g.o, gentoo-user@l.g.o
Subject: [gentoo-announce] Re: Gentoo Github Organization hacked.
Date: Wed, 04 Jul 2018 16:13:41
Message-Id: CAAr7Pr9bstXsXJWs8akp7+1E3yjnHgvBS+4T2LKCskk1be0MNQ@mail.gmail.com
We believe this incident to be resolved and we have written an incident
report:

https://wiki.gentoo.org/wiki/Github/2018-06-28

Thanks to the community for their support during this incident.

-A

On Thu, Jun 28, 2018 at 5:13 PM, Alec Warner <antarus@g.o> wrote:

> Today 28 June at approximately 20:20 UTC unknown individuals have gained > control of the Github Gentoo organization, and modified the content of > repositories as well as pages there. We are still working to determine the > exact extent and to regain control of the organization and its > repositories. > > All Gentoo code hosted on github should for the moment be considered > compromised. This does NOT affect any code hosted on the Gentoo > infrastructure. Since the master Gentoo ebuild repository is hosted on our > own infrastructure and since Github is only a mirror for it, you are fine > as long as you are using rsync or webrsync from gentoo.org. > > Also, the gentoo-mirror repositories including metadata are hosted under a > separate Github organization and likely not affected as well. > > All Gentoo commits are signed, and you should verify the integrity of the > signatures when using git. > > More updates will follow. > > -A >