Extract from article :
The Gentoo team didn’t beat around the bush, and quickly published an unequivocal statement about the breach.
The Gentoo GitHub repository is only a secondary copy of the main Gentoo source code.
The main Gentoo repository is intact.
All changes in the main Gentoo repository are digitally signed and can therefore be verified.
As far as we know, the main Gentoo signing key is safe, so the digital signatures are reliable.
The question is why would someone do it? Just to break something or did they get lucky with a password guess?
Could’ve just been a robot farming github repos. They’re all over the place and scan it continuously for people who accidentally upload environment variables or ssh keys.
I dont see much of a problem here. Shit happens. Learn what went wrong, learn from it and move on. Atleast they had the mind to keep secure copies of it elsewhere so restoring the tree was easy. They also responded publicly about it as soon as they could so the damage was very minimal anyway
Also this is github so is there a reason why they couldnt have just moved back to a previous commit? seems like it would be a easy solution.
Im not entirely familiar with git so excuse if im ignorant
I was just saying if you portaged bad code while github was bad…Its bad…If it mirrored more from github to lower mirrors there then yer still the same issue only more systems.