1 |
On Fri, Jun 29, 2018 at 11:46 AM gevisz <gevisz@×××××.com> wrote: |
2 |
> |
3 |
> 2018-06-29 0:15 GMT+03:00 Francisco Blas Izquierdo Riera (klondike) |
4 |
> <klondike@g.o>: |
5 |
> > |
6 |
> > I just want to notify that an attacker has taken control of the Gentoo |
7 |
> > organization in Github and has among other things replaced the portage |
8 |
> > and musl-dev trees with malicious versions of the ebuilds intended to |
9 |
> > try removing all of your files. |
10 |
> > |
11 |
> > Whilst the malicious code shouldn't work as is and GitHub has now |
12 |
> > removed the organization, please don't use any ebuild from the GitHub |
13 |
> > mirror ontained before 28/06/2018, 18:00 GMT until new warning. |
14 |
> |
15 |
> I have heard that Github was bought by MS. So, why not to move to GitLab? |
16 |
> |
17 |
|
18 |
This has been the subject of a fair bit of discussion actually. |
19 |
However, that alone wouldn't have prevented an attack like this as far |
20 |
as I can tell. That is, the compromise didn't involve anything in |
21 |
Github's control, but just a compromised password. |
22 |
|
23 |
There are plenty of reasons to consider moving to GitLab. Right now |
24 |
the general sentiment seems to be wait-and-see, as gitlab.com is still |
25 |
proprietary and isn't as popular (which was one of the original |
26 |
drivers for having support on Github). What I think would have the |
27 |
bigger impact is if somebody actually came up with a FOSS distributed |
28 |
solution for bug/issue/PR tracking that was decent. Then just as we |
29 |
can have multiple mirrors of the code we could have muliple mirrors of |
30 |
everything else and all of this would be less of an issue. |
31 |
|
32 |
-- |
33 |
Rich |