1 |
On Fri, Jun 29, 2018 at 7:19 AM, Francisco Blas Izquierdo Riera |
2 |
(klondike) <klondike@g.o> wrote: |
3 |
> El 29/06/18 a las 03:55, Duane Robertson escribió: |
4 |
>> On Thu, 28 Jun 2018 23:15:36 +0200 |
5 |
>> "Francisco Blas Izquierdo Riera (klondike)" <klondike@g.o> wrote: |
6 |
>> |
7 |
>>> Hi! |
8 |
>>> |
9 |
>>> I just want to notify that an attacker has taken control of the Gentoo |
10 |
>>> organization in Github and has among other things replaced the portage |
11 |
>>> and musl-dev trees with malicious versions of the ebuilds intended to |
12 |
>>> try removing all of your files. |
13 |
>>> |
14 |
>>> Whilst the malicious code shouldn't work as is and GitHub has now |
15 |
>>> removed the organization, please don't use any ebuild from the GitHub |
16 |
>>> mirror ontained before 28/06/2018, 18:00 GMT until new warning. |
17 |
>>> |
18 |
>>> Sincerely, |
19 |
>>> Francisco Blas Izquierdo Riera (klondike) |
20 |
>>> Gentoo developer. |
21 |
>>> |
22 |
>>> |
23 |
>> Is it at all likely that any signing keys have been compromised? I |
24 |
>> can't think of how that would happen, but I don't know much about the |
25 |
>> situation. |
26 |
>> |
27 |
> If you mean the release signing key the answer is a clear no according |
28 |
> to infra's forensics. If you mean specific developers' keys it is |
29 |
> unlikely but not fully impossible as we still don't know how the |
30 |
> attackers got hold of the compromised accounts. |
31 |
> |
32 |
|
33 |
I can't help but notice this was moved to gentoo-user. Are posts to |
34 |
gentoo-dev being moderated properly, or should I not bother submitting |
35 |
anything? |