I installed it for fun this afternoon, and i don't really like it given how much time it needs to do a emerge -a @World, if you don't have a powerful computer it's boring. Too bad, i'm sure it's a great distro besides this problem.
This is clear evidence the Linux security is overrated despite relatively better than other operating systems' .
In my opinion, this is one of those cases where it's a pretty big deal, but it's far from an "end of the world" scenario. The people who download a distribution's source code from GitHub and compile from scratch are in the minority, while the vast majority of Gentoo users would instead visit gentoo.org/downloads and download an .iso file for installation. Just because someone can hack a distribution server and substitute their own modified code doesn't mean the original code was in any way faulty to begin with. It just means these people are pretty damn clever at what they do. A couple of years ago someone hacked one of the three Linux Mint mirrors located in Bulgaria and did a similar swap, compromising both the 32 bit and 64 bit versions of LM Cinnamon. None of the other .iso files (KDE, MATE, Xfce, LMDE) were affected. Someone running the server discovered this almost immediately. The server was brought offline, the compromised files were removed, and Clem and his team were notified of the problem, all within an hour and a half. Clem posted a warning on his blog and on the forum about the problem, advising everyone not to use any LM .iso's they had downloaded on 2/20/2016, just to be safe. The bad part came later in the day. When the perpetrators found out that their plot had been foiled so quickly, they hacked the Linux Mint user forums as a form of retribution. The forums were down for nearly a week, and that's when people really went off the deep end, spreading all sorts of rumors, innuendo, and hearsay. Many promised they were going back to Ubuntu, or to Windows, or to Debian, or wherever it was they came from in the first place. Anything but Linux Mint. In their minds, trust had been broken and things could never be the same again. I made it a point not to get involved. I just bit my tongue, sat back, and had a chuckle over some of the idiocy being displayed. It took a couple of weeks before the ruckus died down, and eventually things on the forum got back to normal.
I'm guessing you didn't look at the start date of the thread? Just because they resolved Github issue 4 months ago at the start of July doesn't make it old news for those that were infected 4 months ago and neither does it make it a less worth while topic for all those that needed to go through their systems and re-install from scratch as Gentoo is a popular OS for remote headless boxes , do you think everyone would have got the news instantly for set and forget boxes?
FYI... I checked the date. This is where it is a good idea to have a backup. If people don't want to do that or learn how to do that, then by paying the price of a complete reinstall or loss of information may change their mind. My point was that it was not a flaw in the system but in fact an admin got hacked and that was the way they compromised the system. Had the admin not gotten hacked we would not be talking about this today!
Sorry Dude but your logic , reasoning and attitude is plainly ridiculous and has no place in security. What use is a backup when that backup contains all the passwords , encrypted keys , encrypted volumes and what ever else might have be taken when compromised ? , it's all going to have to be changed and started from scratch.
I wonder if PGP signing commits in all “official” public repos would address this issue? That way mirrors can be compromised, but as long as the legitimate commits are signed, the rogue ones would be very easy to spot...