Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Rich Freeman <rich0@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Hostile takeover of our github mirror. Don't use ebuild from there until new warning!
Date: Sat, 30 Jun 2018 16:16:03
Message-Id: CAGfcS_kgNCvoje4YDMW9v4_ErF4GJXDAtpt-z5Y7xX+We_5Kcw@mail.gmail.com
In Reply to: Re: [gentoo-user] Hostile takeover of our github mirror. Don't use ebuild from there until new warning! by "Francisco Blas Izquierdo Riera (klondike)"
1 On Sat, Jun 30, 2018 at 9:54 AM Francisco Blas Izquierdo Riera
2 (klondike) <klondike@g.o> wrote:
3 >
4 > El 29/06/18 a las 18:33, Peter Humphrey escribió:
5 > > On Thursday, 28 June 2018 22:15:36 BST Francisco Blas Izquierdo Riera
6 > > (klondike) wrote:
7 > >> Hi!
8 > >>
9 > >> I just want to notify that an attacker has taken control of the Gentoo
10 > >> organization in Github and has among other things replaced the portage
11 > >> and musl-dev trees with malicious versions of the ebuilds intended to
12 > >> try removing all of your files.
13 > >>
14 > >> Whilst the malicious code shouldn't work as is and GitHub has now
15 > >> removed the organization, please don't use any ebuild from the GitHub
16 > >> mirror ontained before 28/06/2018, 18:00 GMT until new warning.
17 > > Does this mean that we're safe to use anything from after your warning?
18 > >
19 > It means you are safe to use anything from official Gentoo sources other
20 > than GitHub. As of now even GitHub should be okay as there was a force
21 > push to restore the repositories.
22 >
23
24 If you are using git syncing I believe that portage will verify that
25 the top commit (which is the only one that really matters) is using a
26 trusted key if you put the following line in repos.conf for the
27 repository:
28 sync-git-verify-commit-signature = true
29
30 Obviously this only works with repositories signed by one of the Gentoo keys.
31
32 I couldn't find documentation on this option. Is there an option like
33 this that lets you provide your own list of trusted keys, such as for
34 a mirror? It looks like portage is just looking at a .asc with a
35 bunch of keys in it and checking that one of them signed the top
36 commit. Presumably you could provide your own .asc of trusted keys
37 and use that for other repos that are signed.
38
39 Assuming this works (I didn't actually test it with a bad top commit),
40 it would have prevented this particular attack, or any other that
41 didn't compromise the Gentoo keys.
42
43 --
44 Rich

Replies

Subject Author
[gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning! Nikos Chantziaras <realnc@×××××.com>
Report Message
Find on MARC Find on Google Groups