Gentoo Archives: gentoo-user

From: Nikos Chantziaras <realnc@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!
Date: Sat, 30 Jun 2018 16:50:38
Message-Id: ph8c8a$9de$1@blaine.gmane.org
In Reply to: Re: [gentoo-user] Hostile takeover of our github mirror. Don't use ebuild from there until new warning! by Rich Freeman
1 On 30/06/18 19:15, Rich Freeman wrote:
2 > On Sat, Jun 30, 2018 at 9:54 AM Francisco Blas Izquierdo Riera
3 > (klondike) <klondike@g.o> wrote:
4 >>
5 >> El 29/06/18 a las 18:33, Peter Humphrey escribió:
6 >>> On Thursday, 28 June 2018 22:15:36 BST Francisco Blas Izquierdo Riera
7 >>> (klondike) wrote:
8 >>>> [...]
9 >>>> Whilst the malicious code shouldn't work as is and GitHub has now
10 >>>> removed the organization, please don't use any ebuild from the GitHub
11 >>>> mirror ontained before 28/06/2018, 18:00 GMT until new warning.
12 >>> Does this mean that we're safe to use anything from after your warning?
13 >>>
14 >> It means you are safe to use anything from official Gentoo sources other
15 >> than GitHub. As of now even GitHub should be okay as there was a force
16 >> push to restore the repositories.
17 >>
18 >
19 > If you are using git syncing I believe that portage will verify that
20 > the top commit (which is the only one that really matters) is using a
21 > trusted key if you put the following line in repos.conf for the
22 > repository:
23 > sync-git-verify-commit-signature = true
24 >
25 > Obviously this only works with repositories signed by one of the Gentoo keys.
26 > [...]
27
28 When using git to sync portage, aren't you supposed to use:
29
30 git://anongit.gentoo.org/repo/sync/gentoo.git
31
32 anyway instead of GitHub?

Replies