Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: R0b0t1 <r030t1@×××××.com>
To: gentoo-user@l.g.o, duane@××××××××××××××.com, klondike@g.o
Subject: Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!
Date: Fri, 29 Jun 2018 02:58:05
Message-Id: CAAD4mYhOtxf7=rUOME4A-wqo1QJPb_QhVVhNVTpfbnDcPKXdZw@mail.gmail.com
In Reply to: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning! by Duane Robertson
1 On Thu, Jun 28, 2018 at 8:55 PM, Duane Robertson
2 <duane@××××××××××××××.com> wrote:
3 > On Thu, 28 Jun 2018 23:15:36 +0200
4 > "Francisco Blas Izquierdo Riera (klondike)" <klondike@g.o> wrote:
5 >
6 >> Hi!
7 >>
8 >> I just want to notify that an attacker has taken control of the Gentoo
9 >> organization in Github and has among other things replaced the portage
10 >> and musl-dev trees with malicious versions of the ebuilds intended to
11 >> try removing all of your files.
12 >>
13 >> Whilst the malicious code shouldn't work as is and GitHub has now
14 >> removed the organization, please don't use any ebuild from the GitHub
15 >> mirror ontained before 28/06/2018, 18:00 GMT until new warning.
16 >>
17 >> Sincerely,
18 >> Francisco Blas Izquierdo Riera (klondike)
19 >> Gentoo developer.
20 >>
21 >>
22 >
23 > Is it at all likely that any signing keys have been compromised? I
24 > can't think of how that would happen, but I don't know much about the
25 > situation.
26 >
27
28 It is my understanding release engineering maintains separate keys
29 explicitly to prevent situations like this from getting worse.
30
31 But, the same machine which was compromised (if a machine was
32 compromised) likely had commit signing keys. Considering the size of
33 Gentoo I think GitHub would respond to a request for information on
34 who added the malicious account to the project if that information is
35 not already available.
36
37
38 Considering what was done it could be assumed that no access to the
39 master repository was available. If so, any change pushed to the
40 mirror might have been far easier to notice and the attacker could
41 have considered their GitHub access worthless.
42
43 I'm not sure the above is a reasonable assessment; someone likely just
44 burned access easily worth multiple millions of dollars in CPU time.
45 Other infrastructure should be under scrutiny for past exploitation.
46
47 Cheers,
48 R0b0t1
Report Message
Find on MARC Find on Google Groups