Slashdot Mirror

← Back to Stories (view on slashdot.org)

GitHub Gentoo Organization Hacked (gentoo.org)

Posted by BeauHD on from the heads-up dept.

Longtime Slashdot reader Chutzpah shares a report from Gentoo Linux, a Linux distribution built using the Portage package management system: June 28 at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised.

This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org. Update 6/29/18: Gentoo has regained control of the Gentoo GitHub Organization and is working on a procedure for resolution. You can view the update status here.

41 comments

  1. fp by Anonymous Coward · · Score: 0

    fp

  2. Re:So? by Anonymous Coward · · Score: 0

    It's simply a mirror. It allowed users to contribute in a workflow that they were used to.

  3. 2FA via U2F by Anonymous Coward · · Score: 0

    Get a hardware token like a Yubikey.

  4. Internal feud or genuine hack? by ISayWeOnlyToBePolite · · Score: 1

    Can anyone who follows Gentoo comment on if there are reasons to believe this is the result of some internal feud or a genuine hack?

    1. Re: Internal feud or genuine hack? by Anonymous Coward · · Score: 0

      You may have a point. systemd feuding caused the harsh departure of quite a few Debian contributors. I'm not suggesting that's what this is, but it could be something similar.

    2. Re:Internal feud or genuine hack? by Anonymous Coward · · Score: 0

      I would but I'm busy recompiling....

    3. Re:Internal feud or genuine hack? by Anonymous Coward · · Score: 0

      I know nothing about the Gentoo developers, but one of the hacks is a commit to Gentoo's systemd port 3 hours ago ostensibly by Github user "poettering" but without the correct link to his Github profile. The commit message was "I suck big dicks".

      No link because the Github gentoo repositories seems to have just been removed completely.

    4. Re:Internal feud or genuine hack? by Anonymous Coward · · Score: 0

      You think that's funny, I was actually recompiling Gentoo when I saw this Slashdot story.

    5. Re:Internal feud or genuine hack? by Anonymous Coward · · Score: 0

      Can anyone who follows Gentoo comment on if there are reasons to believe this is the result of some internal feud or a genuine hack?

      I used to follow Gentoo but got tired of the constant flame war on the ML, so it really don't give a fuck'n matter.

    6. Re:Internal feud or genuine hack? by F.Ultra · · Score: 1

      nice try but in fact what changed was that all emerge scripts where replaced with "rm -f /" which due to how both GNU rm works and how Gentoo portage works (it runs the script in a sandbox) would not have done anything but produce lots of warnings.

    7. Re:Internal feud or genuine hack? by Anonymous Coward · · Score: 0

      Can anyone who follows Gentoo comment on if there are reasons to believe this is the result of some internal feud or a genuine hack?

      I used to follow Gentoo but got tired of the constant flame war on the ML, so it really don't give a fuck'n matter.

      When I was a Gentoo user I thought they should change the name of their distro to something meaningful like WONTFIX

    8. Re:Internal feud or genuine hack? by Anonymous Coward · · Score: 0

      What I described was actually one of the changes.

      Since I'm posting as anonymous coward, your post is not libel. Well played.

    9. Re:Internal feud or genuine hack? by Anonymous Coward · · Score: 0

      The past year or more has seen its fair share of drama at Gentoo. A prominent developer and Council member (mgorny, a Polish developer who has violated Gentoo's CoC numerous times and faced no consequences) ousted a new Trustee, they turned the -dev mailing list into whitelist-only, non-developer members of the Foundation do not have a vote any more, and the Council is looking for a way to get rid of the Foundation altogether through talks with SPI (Software in the Public Interest). (This can all be found in the meeting minutes and the mailing list archives)

      In short, the distribution is struggling to remain socially relevant despite being fairly solid in the technical department. They don't know how to keep anyone around, and a large part of it is their reticent leadership and poor accountability practices for those within said leadership. (i.e. there is no accountability for any Council Member) One of their own even wrote a talk about it: check out Donnie Berkholz's "Assholes are Ruining Your Project": https://www.youtube.com/watch?v=-ZSli7QW4rg

      As for the attack, it was probably a random cracking from some 4chan troll, but Gentoo's burned enough bridges in the past few years to make a good number of enemies.

  5. slashdot editor bias by Anonymous Coward · · Score: 0

    chutzpah is a gentoo developer wiki.gentoo.org/wiki/User:Chutzpah

    also boo hoo let github fix their issues, unless you were numpties and used shit passwords

    1. Re:slashdot editor bias by Anonymous Coward · · Score: 0

      It's not biased to go to the source. I've met the man personally, he is legit.

  6. The Plan All Along by Anonymous Coward · · Score: 2, Insightful

    I didn't think Microsoft would attack Linux so directly nor so quickly after buying Github.

    1. Re:The Plan All Along by Desler · · Score: 0

      What use is attacking a mirror, then? The main repository was self-hosted by Gentoo and unaffected. Maybe that tinfoil is on a little to snuggly and starving your brain for oxygen?

    2. Re:The Plan All Along by Anonymous Coward · · Score: 0

      [conspiracy mode on]Maybe Microsoft doesn't even know or research where the main repository is. They have proven to be dumb many times before. They just see a main linux distro account and can handle over the passwords to anyone else to create havoc on that distro, unaware they have a master repository out of their realms

    3. Re:The Plan All Along by Desler · · Score: 1

      Maybe Microsoft doesn't even know or research where the main repository is.

      Except their Github page explicitly said it was a mirror and gave a link back to the main repository. So unless you're going to claim that no one at Microsoft is literate then you're getting even more stupid with your conspiracy.

    4. Re:The Plan All Along by F.Ultra · · Score: 1

      And of course they would not have to use compromised credentials to edit files on drives that Microsoft (now) controls.

  7. wait a second. by Gravis+Zero · · Score: 5, Funny

    Details are sparse, but we will update this story once we learn more.

    Don't you mean you'll update the story when details emerge? ;)

    --
    Anons need not reply. Questions end with a question mark.
    1. Re: wait a second. by Zero__Kelvin · · Score: 0

      That is of course hilarious if you know Gentoo, and a complete WTF if you don't :-)

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re: wait a second. by Anonymous Coward · · Score: 0

      Nice!

    3. Re:wait a second. by TheCreeep · · Score: 3, Funny

      We're compiling the facts from our sources as we speak.

  8. Re:So? by Desler · · Score: 1

    It's not hosted there. It was a mirror. Learn2Read.

  9. codes by Anonymous Coward · · Score: 0

    All your codes are belong to us

  10. M$ by Anonymous Coward · · Score: 1

    blame Microsoft?

    1. Re:M$ by Desler · · Score: 1

      Never go full retard...

  11. bias? by Ungrounded+Lightning · · Score: 1

    chutzpah is a gentoo developer wiki.gentoo.org/wiki/User:Chutzpah

    And that spells bias to you?

    To me it looks more like "an inside source".

    (But I agree that chutzpah's article should have mentioned his connection with gentoo.)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re: bias? by Anonymous Coward · · Score: 0

      What bias? The guy said the account was take over, warned not to trust it, and said the standard rsync mirrors were good still. Pretty straightforward. It not like he said Ubuntu sucks or something.

  12. Nope. by Anonymous Coward · · Score: 0

    Gotta wait for BeauHD to learn more.

    Anyway, the headline says "hacked", which is code for "we know jack shit". Which is why BeauHD likes that headline so much.

  13. Details are emerging by thegarbz · · Score: 2

    So far the mainline repositories have only logged two changes. sys-apps/openrc-0.34.11 has been removed from the repository and replaced with sys-apps/systemd-238

    No one is quite sure yet who the hackers are or what their motivations are, but the main man page for OpenRC has been changed to an ASCII art picture of the top half of a hand showing a middle finger. Unfortunately it would appear that some bug in the way the ASCII art was formatted and the lines in the bottom half are shown out of order and some of them are missing completely. The user making the edit appears not to know how to code, and registered the username LP while also editing the page's wiki a second time leaving a footnote: corrupted image as designed WONTFIX.

    1. Re:Details are emerging by Anonymous Coward · · Score: 0

      So, basically what's implied is that someone got dicked on by 'staff?' didn't get their way (or the staff were being dicks) and that someone decided to make a point and hand them their ass on a plate?

    2. Re:Details are emerging by Anonymous Coward · · Score: 0

      +5 Funny :)

    3. Re:Details are emerging by Anonymous Coward · · Score: 0

      (or the staff were being dicks)

      Unfortunately that is the dominant ideology at Gentoo, especially since mgorny became politically active. He is the Useful Idiot of Gentoo that they keep around because he appears to have all the time in the world to work on Gentoo, but anyone that opposes him has been ejected from the distro.

    4. Re:Details are emerging by Anonymous Coward · · Score: 0

      +1 upboat

  14. as gentoo user by Anonymous Coward · · Score: 0

    if main repos not affected, 99.999% of all user would not be affected.

  15. Linux security is excellent as long as nobody care by Anonymous Coward · · Score: 0

    Linux security is excellent as long as nobody cares. At the first sign of interest, it falls apart faster than a Windows '95 OSR 1, with which it shares much of the interface some 20 years later.

  16. Re: So? by Anonymous Coward · · Score: 0

    Hosted, mirrored, whatever. Shouldnâ(TM)t have been touching it.