Warning: 'MetalKettle' Repository For Kodi Becomes Vulnerable After GitHub Takeover

BrianFagioli shares a report from BetaNews: Unfortunately, there can apparently be security issues with repositories when they shut down. For example, when the metalkettle repo ended, the developer deleted its entry on GitHub. This in itself is not a cause for concern, but unfortunately, GitHub's allowance of project names to be recycled is. You see, someone re-registered the metalkettle name, making it possible for nefarious people to potentially serve up malware to Kodi users. The warning came from the metalkettle developer over on Twitter. He warns that devices with the repository installed could be in danger from a security standpoint. If a user was to search that repo, and the new owner of the GitHub name was to share malware, the user could assume it is safe and install it. We do not know 100 percent if the person that re-registered the metalkettle name on GitHub is planning anything evil, but it is better to be safe than sorry. If you still have the repository installed, you should remove it immediately. Not to mention, if you know someone using Kodi, such as a friend or family member, you should warn them too.

May I be the first to point out the obvious?

Of course the fault here is not the reuse of the repository name, but trusting the repository implicitly in the first place. After all, both the repository and Kodi (whatever that is) would also be compromised if the account of anyone with push access was compromised, or if Github itself was compromised, for that matter.

Re:Does it seem...

[Nemyst]

Much as that'd have avoided it, I don't think it's fair to call the maintainer "idiot" for what's essentially a problem with the way Github handles project names and URLs. He's no longer maintaining it and he should be able to do whatever the fuck he wants with the account without having to worry about stupid consequences like this.