Slashdot Mirror
Debian Server Compromised
Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."
I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?
Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.
Are you sure about that? Remember, the MS network was compromised a while as well. Do you trust their auditing?
Does anyone know what in particular was exploited? TFA dosent give a flying fuck of information.
If you remember, the incident in question involved someone loose for weeks or months on Microsoft's internal networks before they were discovered. It's wouldn't have been impossible for them to modify the code before it got signed. Microsoft had to spend a great deal of effort to try to verify that such a thing didn't actually happen.
Dear Hackers,
If you manage to hack into the main repository, please fix this bug. A well-tested patch has been available for almost 6 months, and it is even attached to the bug report. The bug has been fixed in Ubuntu, but Debian users are still waiting, more than a year after the bug was first filed.
If you hack, do it for the right reasons.