Presented w/o comment:
https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002
Today 28 June at approximately 20:20 UTC unknown individuals have gained
control of the Github Gentoo organization, and modified the content of repositories as well as pages there.
Github
unknown individuals
Microsoft Corp. is buying GitHub Inc. for $7.5 billion
2 Likes
Ballmer so hard mfkers wanna fine me
Is that meant in a sarcastic/non-serious way (to uninstall)?
This would fit under the low-effort rule. Since the thread looks like it’s taking off anyways, I’m not going to close it, but please include commentary or input in the future.
It seems that as long as you aren’t pulling direct from github, this is a non-issue. Breaches happen. Looks like Gentoo did the responsible thing and announced it quickly.
I wouldn’t say “switch away” over this alone.
4 Likes
Ah sorry. The gist is that a lot of the githup repos for gentoo are compromised, likely as a result of lack of 2fa
1 Like
Nah is just a meme
No worries, just a friendly reminder.
2 Likes
Yeah, it was just too funny to pass up tho
I was just looking at this… This is too gud.
This solution is easily solvable from a user-end perspective though.
They just need to change the server or mirror that hosts their portage tree and resync. It’s a quick edit in /etc/portage/repos.conf file
2 Likes
People’s systems shouldn’t be using GitHub anyway it’s just a copy.
Poor proactive from Gentoo, 2fa should have been mandatory.
6 Likes
Nah, github just hosts the mirror of the portage tree. The actual OG server that holds all the packages didn’t get compromised. It’s a severe issue that IMO will be blown out of proportion though.
From an end user perspective if they chose their mirror to be github they are boned… But like I said, they just need to change their mirror / rsync server and resync.
If anything this will effect Daniel Robbin and Funtoo more than anything else, their portage tree syncs with Gentoos github tree daily.
3 Likes
Agreed. Proactive isn’t the word I meant to use… meant just they their way of doing things should have covered this anyway.
Didn’t know funtoo were pulling from their github
Yeah Daniel Robbins (Dev of Funtoo) uses Github directly as their portage tree. It syncs daily to keep their repositories up-to-date with Gentoos.
The benefits of this is updates and Portage tree are much faster than Rsync and there is no limit to how often you update.
On Gentoos if you sync your tree more than twice you could be potentially banned for a few hours from the original server, thus being unable to update your system
As for why this is a thing idk, but repositories get updated daily every evening. So you technically only have to sync once a day.
This entire situation is schadenfreude fuel tbh
I doubt it, the userbase of Gentoo is relatively small compared to other distros like Ubuntu, Fedora, etc. Ironically enough though for a distro that claims to be rolling release there are a metric ass-tonne of outdated packages within the portage tree.
Overall, It’s a serious issue none-the-less. But as long as the end-user doesn’t sync their tree from Github or just doesn’t sync their tree period. if they don’t know how to change their mirror, They are fine.
Don’t prematurely attribute to malice that which can be explained by incompetence…
As per @Eden, there’s been a history of open source (and closed source, for that matter) projects being compromised due to apalling developer security (stolen SSH keys with access to stuff like this with no passphrase, etc.).
Open source is all well and good but “general” developer security practice (whether open or closed source) is generally fucking appalling. Most developers don’t care about security; it’s an afterthought. As evidenced by the general software quality in the industry, install guides telling people to turn off various security features to make things work, etc. Security is normally a long way down the list after “get the thing working” and then “fixing crash bugs”. And that goes for both closed and open source software.
This goes hand in hand with their desktop security practices on their development workstations. Frequently behind on patches, holes opened up to do various fringe tasks, etc.
I work with a couple of developers, have more as friends, and i’ve managed to drill “thinking about security” into the guys at work, eventually, but it’s difficult. And these guys are getting paid for it…
Food for thought.
remember the mint .iso backdoors? gentoo’s recent trouble isn’t nearly as bad as that debacle
I was joking