Gentoo has been Compromised On GitHub

Discussion in 'Linux' started by taylorlawson, Jun 29, 2018.

  1. taylorlawson

    taylorlawson MDL Junior Member

    Jan 1, 2017
    62
    13
    0
  2. elytron

    elytron MDL Novice

    Mar 18, 2014
    4
    3
    0
    I don't use Gentoo, though bad news for those that do.
     
  3. lewcass

    lewcass MDL Senior Member

    Mar 10, 2018
    429
    251
    10
    And Github was recently bought by microsoft.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. I installed it for fun this afternoon, and i don't really like it given how much time it needs to do a emerge -a @World, if you don't have a powerful computer it's boring.
    Too bad, i'm sure it's a great distro besides this problem.
     
  5. Hadron-Curious

    Hadron-Curious MDL Guru

    Jul 4, 2014
    3,730
    603
    120
    This is clear evidence the Linux security is overrated despite relatively better than other operating systems' .
     
  6. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    867
    1,388
    30
    #7 John Sutherland, Oct 5, 2018
    Last edited: Oct 5, 2018
    In my opinion, this is one of those cases where it's a pretty big deal, but it's far from an "end of the world" scenario. The people who download a distribution's source code from GitHub and compile from scratch are in the minority, while the vast majority of Gentoo users would instead visit gentoo.org/downloads and download an .iso file for installation. Just because someone can hack a distribution server and substitute their own modified code doesn't mean the original code was in any way faulty to begin with. It just means these people are pretty damn clever at what they do.

    A couple of years ago someone hacked one of the three Linux Mint mirrors located in Bulgaria and did a similar swap, compromising both the 32 bit and 64 bit versions of LM Cinnamon. None of the other .iso files (KDE, MATE, Xfce, LMDE) were affected. Someone running the server discovered this almost immediately. The server was brought offline, the compromised files were removed, and Clem and his team were notified of the problem, all within an hour and a half. Clem posted a warning on his blog and on the forum about the problem, advising everyone not to use any LM .iso's they had downloaded on 2/20/2016, just to be safe. The bad part came later in the day.

    When the perpetrators found out that their plot had been foiled so quickly, they hacked the Linux Mint user forums as a form of retribution. The forums were down for nearly a week, and that's when people really went off the deep end, spreading all sorts of rumors, innuendo, and hearsay. Many promised they were going back to Ubuntu, or to Windows, or to Debian, or wherever it was they came from in the first place. Anything but Linux Mint. In their minds, trust had been broken and things could never be the same again. I made it a point not to get involved. I just bit my tongue, sat back, and had a chuckle over some of the idiocy being displayed. It took a couple of weeks before the ruckus died down, and eventually things on the forum got back to normal.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. taylorlawson

    taylorlawson MDL Junior Member

    Jan 1, 2017
    62
    13
    0
    I'm guessing you didn't look at the start date of the thread?

    Just because they resolved Github issue 4 months ago at the start of July doesn't make it old news for those that were infected 4 months ago and neither does it make it a less worth while topic for all those that needed to go through their systems and re-install from scratch as Gentoo is a popular OS for remote headless boxes , do you think everyone would have got the news instantly for set and forget boxes?
     
  8. oldsh_t

    oldsh_t MDL Expert

    Dec 23, 2009
    1,081
    532
    60
    FYI... I checked the date.
    This is where it is a good idea to have a backup. If people don't want to do that or learn how to do that, then by paying the price of a complete reinstall or loss of information may change their mind.

    My point was that it was not a flaw in the system but in fact an admin got hacked and that was the way they compromised the system. Had the admin not gotten hacked we would not be talking about this today!
     
  9. taylorlawson

    taylorlawson MDL Junior Member

    Jan 1, 2017
    62
    13
    0
    Sorry Dude but your logic , reasoning and attitude is plainly ridiculous and has no place in security.

    What use is a backup when that backup contains all the passwords , encrypted keys , encrypted volumes and what ever else might have be taken when compromised ? , it's all going to have to be changed and started from scratch.
     
  10. oldsh_t

    oldsh_t MDL Expert

    Dec 23, 2009
    1,081
    532
    60
    Sorry I did not know I was talking to a security expert. My bad!!
    Have a nice day!
     
  11. Rouben

    Rouben MDL Member

    Oct 17, 2017
    113
    60
    10
    I wonder if PGP signing commits in all “official” public repos would address this issue? That way mirrors can be compromised, but as long as the legitimate commits are signed, the rogue ones would be very easy to spot...