Today 28 June at approximately 20:20 UTC unknown individuals have gained
control of the Github Gentoo organization, and modified the content of
repositories as well as pages there. We are still working to determine the
exact extent and to regain control of the organization and its
All Gentoo code hosted on github should for the moment be considered
compromised. This does NOT affect any code hosted on the Gentoo
infrastructure. Since the master Gentoo ebuild repository is hosted on our
own infrastructure and since Github is only a mirror for it, you are fine
as long as you are using rsync or webrsync from gentoo.org.
Also, the gentoo-mirror repositories including metadata are hosted under a
separate Github organization and likely not affected as well.
All Gentoo commits are signed, and you should verify the integrity of the
signatures when using git.
More updates will follow.
However I feel like the term "mirror" has been misunderstood or miscommunication in this context, so I want to add a few comments to it now that things have calmed down a bit.
Gentoo has mainly had a presence on GitHub in order to facilitate pull requests from external contributors and proxied maintainers, actually, using GitHub for anything critical goes against the Gentoo Social Contract
The primary method of synchronizing the Gentoo Ebuild Repository is using rsync, and github was never part of the mirroring infrastructure for rsync. Furthermore; for Portage users, gemato is used to verify the MetaManifests and in turn the ebuilds using OpenPGP (aka GPG aka PGP) signatures by default.
So to make it absolutely clear; mirror in the case of GitHub compromise doesn't mean it automatically results in the ebuilds being distributed to the users using regular update mechanisms.
Gentoo will publish a post mortem report once details are ready to be released, but my recommendation to users is; don't worry about this incident, it was always under control, although it is annoying to clean up the visible aspects of it.
We also ran out of coffee mugs, lanyards and t-shirts already during Saturday, so hopefully we can bring some more for next year, at least we had plenty of flyers, which we incidentally ended up with a well spirited in-booth competition with our FreeBSD peers on the highest flyer house.
Speaking of flyers, we also got some comments after the beer fest like
My favorite thing about #fosdem so far is the guy from @gentoo who came to the pre-party smoking cigars and replied to smalltalk by handing out fliers. I don't know about using Gentoo, but I know who to talk to if I need tips on opening my own strip club.
The Free Software Foundation Europe is running its campaign once again this year, and I quote:
In the Free Software society we exchange a lot of criticism. We write bug reports, tell others how they can improve the software, ask them for new features, and generally are not shy about criticising others. There is nothing wrong about that. It helps us to constantly improve. But sometimes we forget to show the hardworking people behind the software our appreciation. We should not underestimate the power of a simple "thank you" to motivate Free Software contributors in their important work for society. The 14th of February (a Sunday this year) is the ideal day to do that.
As part of this campaign the FSFE's FOSDEM stand allowed for sending postcards to projects that matters to users.
This year Gentoo received a post card supporting the future development, I love free software, ... but I love you more:
With a nicely thank you note hand-written on the back:
"Thank you for such a powerful and flexible system"
Next year we hope to receive even more postcards, but thank you very much for the one we received this year 🙂
On another note, Gentoo was interviewed during FOSDEM and the recording is available at HPR with Gentoo starting about 1:56:40.