[gentoo-announce] Re: Gentoo Github Organization hacked.


–000000000000630a2505702d9960
Content-Type: text/plain; charset=”UTF-8″

We believe this incident to be resolved and we have written an incident
report:

https://wiki.gentoo.org/wiki/Github/2018-06-28

Thanks to the community for their support during this incident.

-A

On Thu, Jun 28, 2018 at 5:13 PM, Alec Warner wrote:

> Today 28 June at approximately 20:20 UTC unknown individuals have gained
> control of the Github Gentoo organization, and modified the content of
> repositories as well as pages there. We are still working to determine the
> exact extent and to regain control of the organization and its
> repositories.
>
> All Gentoo code hosted on github should for the moment be considered
> compromised. This does NOT affect any code hosted on the Gentoo
> infrastructure. Since the master Gentoo ebuild repository is hosted on our
> own infrastructure and since Github is only a mirror for it, you are fine
> as long as you are using rsync or webrsync from gentoo.org.
>
> Also, the gentoo-mirror repositories including metadata are hosted under a
> separate Github organization and likely not affected as well.
>
> All Gentoo commits are signed, and you should verify the integrity of the
> signatures when using git.
>
> More updates will follow.
>
> -A
>

–000000000000630a2505702d9960
Content-Type: text/html; charset=”UTF-8″
Content-Transfer-Encoding: quoted-printable

We believe this incident to be resolved and we have writte=
n an incident report:

Thanks to the community for their support dur=
ing this incident.
-A

On Thu, Jun 28, 2018 at 5:13 PM, A=
lec Warner <antarus@gentoo.org> wrote:

Today 28 June at approximately 20:20 UTC unk=
nown individuals have gained control of the Github Gentoo organization, and=
modified the content of repositories as well as pages there. We are still =
working to determine the exact extent and to regain control of the organiza=
tion and its repositories.=C2=A0

All Gentoo code hosted =
on github should for the moment be considered compromised. This does NOT af=
fect any code hosted on the Gentoo infrastructure. Since the master Gentoo =
ebuild repository is hosted on our own infrastructure and since Github is o=
nly a mirror for it, you are fine as long as you are using rsync or webrsyn=
c from gentoo.org.

Also, the gentoo-mirror repositories including metadata are hosted =
under a separate Github organization and likely not affected as well.

All Gentoo commits are signed, and you should verify the integrity o=
f the signatures when using git.

More updates will follow=
.

=
-A

–000000000000630a2505702d9960–