| 1 |
On Fri, Jun 29, 2018 at 11:46 AM gevisz <gevisz@×××××.com> wrote: |
| 2 |
> |
| 3 |
> 2018-06-29 0:15 GMT+03:00 Francisco Blas Izquierdo Riera (klondike) |
| 4 |
> <klondike@g.o>: |
| 5 |
> > |
| 6 |
> > I just want to notify that an attacker has taken control of the Gentoo |
| 7 |
> > organization in Github and has among other things replaced the portage |
| 8 |
> > and musl-dev trees with malicious versions of the ebuilds intended to |
| 9 |
> > try removing all of your files. |
| 10 |
> > |
| 11 |
> > Whilst the malicious code shouldn't work as is and GitHub has now |
| 12 |
> > removed the organization, please don't use any ebuild from the GitHub |
| 13 |
> > mirror ontained before 28/06/2018, 18:00 GMT until new warning. |
| 14 |
> |
| 15 |
> I have heard that Github was bought by MS. So, why not to move to GitLab? |
| 16 |
> |
| 17 |
|
| 18 |
This has been the subject of a fair bit of discussion actually. |
| 19 |
However, that alone wouldn't have prevented an attack like this as far |
| 20 |
as I can tell. That is, the compromise didn't involve anything in |
| 21 |
Github's control, but just a compromised password. |
| 22 |
|
| 23 |
There are plenty of reasons to consider moving to GitLab. Right now |
| 24 |
the general sentiment seems to be wait-and-see, as gitlab.com is still |
| 25 |
proprietary and isn't as popular (which was one of the original |
| 26 |
drivers for having support on Github). What I think would have the |
| 27 |
bigger impact is if somebody actually came up with a FOSS distributed |
| 28 |
solution for bug/issue/PR tracking that was decent. Then just as we |
| 29 |
can have multiple mirrors of the code we could have muliple mirrors of |
| 30 |
everything else and all of this would be less of an issue. |
| 31 |
|
| 32 |
-- |
| 33 |
Rich |
Archives