Sumptuous Capital: Blog

My comments on the Gentoo Github hack

Several news outlets are reporting on the takeover of the Gentoo GitHub organization that was announced recently.

Today 28 June at approximately 20:20 UTC unknown individuals have gained
control of the Github Gentoo organization, and modified the content of
repositories as well as pages there. We are still working to determine the
exact extent and to regain control of the organization and its
repositories.

All Gentoo code hosted on github should for the moment be considered
compromised. This does NOT affect any code hosted on the Gentoo
infrastructure. Since the master Gentoo ebuild repository is hosted on our
own infrastructure and since Github is only a mirror for it, you are fine
as long as you are using rsync or webrsync from gentoo.org.

Also, the gentoo-mirror repositories including metadata are hosted under a
separate Github organization and likely not affected as well.

All Gentoo commits are signed, and you should verify the integrity of the
signatures when using git.

More updates will follow.

( Source: https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002 )

However I feel like the term "mirror" has been misunderstood or miscommunication in this context, so I want to add a few comments to it now that things have calmed down a bit.

Gentoo has mainly had a presence on GitHub in order to facilitate pull requests from external contributors and proxied maintainers, actually, using GitHub for anything critical goes against the Gentoo Social Contract

The primary method of synchronizing the Gentoo Ebuild Repository is using rsync, and github was never part of the mirroring infrastructure for rsync. Furthermore; for Portage users, gemato is used to verify the MetaManifests and in turn the ebuilds using OpenPGP (aka GPG aka PGP) signatures by default.

So to make it absolutely clear; mirror in the case of GitHub compromise doesn't mean it automatically results in the ebuilds being distributed to the users using regular update mechanisms.

Gentoo will publish a post mortem report once details are ready to be released, but my recommendation to users is; don't worry about this incident, it was always under control, although it is annoying to clean up the visible aspects of it.

share on D*

Gentoo at FOSDEM 2018

Gentoo Linux participated with a stand during this year's FOSDEM 2018, as has been the case for the past several years. Three Gentoo developers had talks this year, Haubi was back with a Gentoo-related talk on Unix? Windows? Gentoo! - POSIX? Win32? Native Portability to the max!, dilfridge talked about Perl in the Physics Lab and bircoph talked about The Invisible Internet Project

The "Compile your own button" activity attracted the most attention, even more so than earlier years; as this sample of tweets show:

Well, played, Gentoo. Well played. @fosdem pic.twitter.com/EUyPyr1bO8

— Brian Richardson (@Intel_Brian) February 3, 2018

At the Gentoo stand, you can compile your own button! #FOSDEM pic.twitter.com/DO9uMX2Nlw

— Brendan Abolivier (@BrenAbolivier) February 3, 2018

Whissi, soap, and amynka are busy demonstrating the compiler

We also ran out of coffee mugs, lanyards and t-shirts already during Saturday, so hopefully we can bring some more for next year, at least we had plenty of flyers, which we incidentally ended up with a well spirited in-booth competition with our FreeBSD peers on the highest flyer house.

Speaking of flyers, we also got some comments after the beer fest like

My favorite thing about #fosdem so far is the guy from @gentoo who came to the pre-party smoking cigars and replied to smalltalk by handing out fliers. I don't know about using Gentoo, but I know who to talk to if I need tips on opening my own strip club.

— Stavros Korokithakis (@Stavros) February 3, 2018

Happy hacking, and see you at next FOSDEM or maybe our Gentoo Miniconf in Prague this October?

share on D*

Cigars and the Norwegian Government

[Updated 22nd November to add link to the response to proposed new regulations]

As some of my readers knows, I'm an aficionado of Cigars, to the extent I bought my own Cigar Importer and Store. The picture below is from the 20th best bar in the world in 2017, and they sell our cigars of course!

But the government is certainly not making it easy to run any kind of store in Norway; Beside the regular bureaucracy that drives up the cost of businesses, there are severe anti-tobacco drivers that impacts a cigar store, including tobacco taxes. The tobacco taxes are of course only paid by those of us trying to run a legal business, and not by the numerous customers importing illegally directly or buying obviously non-taxed cigars.

Sweden's minister of Businsess, Bjørn Rosengren, in 1999, proclaimed Norway as the last soviet state. There are few reasons to doubt that the Norwegian Nanny-state has only one goal of reducing the individual's rights and growth of small businesses with a volatile regulation and increased reporting requirements. The Swede's observation continues to serve as an acute observation.

Augusto has previously participated in responses to changes to regulation in several rounds, including Plain tobacco packaging in 2015 and tobacco regulation in 2016. This time around, though, the Norwegian government was in a rush. The government required a rash ratification to give Norway the opportunity to participate in the international cooperation against illegal trade with tobacco products. This rush is the reason that the change to regulation for tobacco product regulation is sent out with less than 6 weeks of time to reply, even thought the minimum requirement in Norway is normally 3 months. Of course, the hearing, doesn't mention that the reason for the delay is the government not having bothered to send out something since 2014.

The issue is increased further with the government stating that the expectation is that the continuing regulation the next years will be under development and changes to laws and regulations are to be expected. Does that mean that the businesses will be expected to further have to react to uncertain frameworks with short timelines? Even the Norwegian department states that there are may parallel changes the last few years, something that has caused a bit of uncertainty in the systemics of the law.

The administration of the regulations becomes even worse when the government on a whim decides to changes practices that have been working for more than 20 years; mainly the administration of warning labels to cigars imported in Norway; without even a hint ahead of time: So a pallet of cigars that was legally imported by a competitor of ours got destructed and they were fined for it. And this happened even though international cigar stores regularly sends boxes of cigars to Norwegian customers without any reaction to it.

Today Augusto Cigars is working on its its response to the changes to regulation on illegal imports of tobacco in Norway (which will also be in Norwegian). If you like cigars you might also have something to add to this discussion ahead of the 22nd of November deadline.

Update 22nd November: Link to Augusto's response

share on D*