Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Project Servers Compromised

Posted by jamie on from the batten-down-hatches dept.

Sean was one of many to pass along the bad news from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.

3 of 666 comments (clear)

  1. Digital Signing of Packages? by Chris_Jefferson · · Score: 5, Interesting

    This is the second time this has happened to a big open-source project (the first being the GNU servers a while ago). All packages by both groups are "md5" signed, which is supposed to protect against malicous hacking. However if the root server is comprimised, this doesn't help. Companies (including at least Microsoft, and the people who make ad-aware) who distribute files over the internet sign them with an RSA (or similar) key, and the computer which does this signing is kept disconnected from the internet. For such large projects which are installed by millions of people, might a similar system not be a good idea?

    --
    Combination - fun iPhone puzzling
  2. Everything's a tradeoff by buddha42 · · Score: 5, Interesting
    On the one hand stuff like this scare's the hell out of me, but on the other hand I'm very reasurred by how the debian community handles it. Full disclosure, detailed explanations, and very conservative thinking (exibited by the "3.0r2 is fine, but we're not releasing it anyway just to be anally sure").

    At this point I would like to see the debian team develop some written policies and procedures for how they intend to prevent this sort of thing in the future. I checked the site and while there's security info for how to secure your box, there's no policies on 'how does the debian project secure itself'.

    Lastly, one concept you have to keep in mind, we have no idea how often other OS's key servers are cracked because they'd never tell us.

  3. I Haven't Paid for Debian by Bob9113 · · Score: 5, Interesting

    This news made me realize how much I depend on Debian. At the moment, every one of my machines (four servers, three workstations, and a laptop) runs Debian. I've been running it as my primary OS for... two years? So far I haven't paid a dime for it. It is a nice advantage of Free Software to be able to use it for free, but given the fact that I'm way out of "try-before-you-buy" mode, I'm going to send them a check today. Software in the Public Interest was founded by and is the current funding source for Debian.

    One server compromise in the two years that I've been watching by a company with zero product sales revenue is pretty impressive. An OS that is (IMO) dramatically superior to any commercial offering for free? They've earned my respect, and have clearly earned my cash.

    --
    Stop-Prism.org: Opt Out of Surveillance