My comments on the Gentoo Github hack

Several news outlets are reporting on the takeover of the Gentoo GitHub organization that was announced recently.

Today 28 June at approximately 20:20 UTC unknown individuals have gained
control of the Github Gentoo organization, and modified the content of
repositories as well as pages there. We are still working to determine the
exact extent and to regain control of the organization and its
repositories.

All Gentoo code hosted on github should for the moment be considered
compromised. This does NOT affect any code hosted on the Gentoo
infrastructure. Since the master Gentoo ebuild repository is hosted on our
own infrastructure and since Github is only a mirror for it, you are fine
as long as you are using rsync or webrsync from gentoo.org.

Also, the gentoo-mirror repositories including metadata are hosted under a
separate Github organization and likely not affected as well.

All Gentoo commits are signed, and you should verify the integrity of the
signatures when using git.

More updates will follow.

( Source: https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002 )

However I feel like the term "mirror" has been misunderstood or miscommunication in this context, so I want to add a few comments to it now that things have calmed down a bit.

Gentoo has mainly had a presence on GitHub in order to facilitate pull requests from external contributors and proxied maintainers, actually, using GitHub for anything critical goes against the Gentoo Social Contract

The primary method of synchronizing the Gentoo Ebuild Repository is using rsync, and github was never part of the mirroring infrastructure for rsync. Furthermore; for Portage users, gemato is used to verify the MetaManifests and in turn the ebuilds using OpenPGP (aka GPG aka PGP) signatures by default.

So to make it absolutely clear; mirror in the case of GitHub compromise doesn't mean it automatically results in the ebuilds being distributed to the users using regular update mechanisms.

Gentoo will publish a post mortem report once details are ready to be released, but my recommendation to users is; don't worry about this incident, it was always under control, although it is annoying to clean up the visible aspects of it.

4 thoughts on “My comments on the Gentoo Github hack”

Leave a Reply

Your email address will not be published. Required fields are marked *