Looks like its time to uninstall gentoo

Extract from article :
The Gentoo team didn’t beat around the bush, and quickly published an unequivocal statement about the breach.
The Gentoo GitHub repository is only a secondary copy of the main Gentoo source code.
The main Gentoo repository is intact.
All changes in the main Gentoo repository are digitally signed and can therefore be verified.
As far as we know, the main Gentoo signing key is safe, so the digital signatures are reliable.

The question is why would someone do it? Just to break something or did they get lucky with a password guess?

1 Like

thats better

2 Likes

Could’ve just been a robot farming github repos. They’re all over the place and scan it continuously for people who accidentally upload environment variables or ssh keys.

Probably, but the problem is that is they hacked it and modified and laced the entire portrage tree with alleged malware.

1 Like

The people who did that are literally the scum of the each and should be ashamed.

It’s an asshole move, but it’s not system breaking. However it has potential to be though

1 Like

I dont see much of a problem here. Shit happens. Learn what went wrong, learn from it and move on. Atleast they had the mind to keep secure copies of it elsewhere so restoring the tree was easy. They also responded publicly about it as soon as they could so the damage was very minimal anyway

Also this is github so is there a reason why they couldnt have just moved back to a previous commit? seems like it would be a easy solution.

Im not entirely familiar with git so excuse if im ignorant

Scary thing is if linux becomes the desktop of the year. This will be a constant attack.

Gentoo will if there capable get back all the mirrors to legit code. But if you portaged bad code and it was smart / sneaky code its bad news.

Only if the mirrors pointed from the github repo instead of the actual main repo owned by them.

I was just saying if you portaged bad code while github was bad…Its bad…If it mirrored more from github to lower mirrors there then yer still the same issue only more systems.

@Marten

People that run Gentoo typically know what they’re doing.

If they heard the news ?

When ever they sync, there are news messages in the terminal. It is likely, that it will be there.

3 Likes

It’s a somewhat nothing burger unless the code is awesome. Then is hits the news.

If you can re-compile or overwrite bad binarys then fine.

obligatory because Gentoo:

1 Like