1 |
On Sat, Jun 30, 2018 at 9:54 AM Francisco Blas Izquierdo Riera |
2 |
(klondike) <klondike@g.o> wrote: |
3 |
> |
4 |
> El 29/06/18 a las 18:33, Peter Humphrey escribió: |
5 |
> > On Thursday, 28 June 2018 22:15:36 BST Francisco Blas Izquierdo Riera |
6 |
> > (klondike) wrote: |
7 |
> >> Hi! |
8 |
> >> |
9 |
> >> I just want to notify that an attacker has taken control of the Gentoo |
10 |
> >> organization in Github and has among other things replaced the portage |
11 |
> >> and musl-dev trees with malicious versions of the ebuilds intended to |
12 |
> >> try removing all of your files. |
13 |
> >> |
14 |
> >> Whilst the malicious code shouldn't work as is and GitHub has now |
15 |
> >> removed the organization, please don't use any ebuild from the GitHub |
16 |
> >> mirror ontained before 28/06/2018, 18:00 GMT until new warning. |
17 |
> > Does this mean that we're safe to use anything from after your warning? |
18 |
> > |
19 |
> It means you are safe to use anything from official Gentoo sources other |
20 |
> than GitHub. As of now even GitHub should be okay as there was a force |
21 |
> push to restore the repositories. |
22 |
> |
23 |
|
24 |
If you are using git syncing I believe that portage will verify that |
25 |
the top commit (which is the only one that really matters) is using a |
26 |
trusted key if you put the following line in repos.conf for the |
27 |
repository: |
28 |
sync-git-verify-commit-signature = true |
29 |
|
30 |
Obviously this only works with repositories signed by one of the Gentoo keys. |
31 |
|
32 |
I couldn't find documentation on this option. Is there an option like |
33 |
this that lets you provide your own list of trusted keys, such as for |
34 |
a mirror? It looks like portage is just looking at a .asc with a |
35 |
bunch of keys in it and checking that one of them signed the top |
36 |
commit. Presumably you could provide your own .asc of trusted keys |
37 |
and use that for other repos that are signed. |
38 |
|
39 |
Assuming this works (I didn't actually test it with a bad top commit), |
40 |
it would have prevented this particular attack, or any other that |
41 |
didn't compromise the Gentoo keys. |
42 |
|
43 |
-- |
44 |
Rich |