My comments on the Gentoo Github hack

Several news outlets are reporting on the takeover of the Gentoo GitHub organization that was announced recently.

Today 28 June at approximately 20:20 UTC unknown individuals have gained
control of the Github Gentoo organization, and modified the content of
repositories as well as pages there. We are still working to determine the
exact extent and to regain control of the organization and its
repositories.

All Gentoo code hosted on github should for the moment be considered
compromised. This does NOT affect any code hosted on the Gentoo
infrastructure. Since the master Gentoo ebuild repository is hosted on our
own infrastructure and since Github is only a mirror for it, you are fine
as long as you are using rsync or webrsync from gentoo.org.

Also, the gentoo-mirror repositories including metadata are hosted under a
separate Github organization and likely not affected as well.

All Gentoo commits are signed, and you should verify the integrity of the
signatures when using git.

More updates will follow.

( Source: https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002 )

However I feel like the term "mirror" has been misunderstood or miscommunication in this context, so I want to add a few comments to it now that things have calmed down a bit.

Gentoo has mainly had a presence on GitHub in order to facilitate pull requests from external contributors and proxied maintainers, actually, using GitHub for anything critical goes against the Gentoo Social Contract

The primary method of synchronizing the Gentoo Ebuild Repository is using rsync, and github was never part of the mirroring infrastructure for rsync. Furthermore; for Portage users, gemato is used to verify the MetaManifests and in turn the ebuilds using OpenPGP (aka GPG aka PGP) signatures by default.

So to make it absolutely clear; mirror in the case of GitHub compromise doesn't mean it automatically results in the ebuilds being distributed to the users using regular update mechanisms.

Gentoo will publish a post mortem report once details are ready to be released, but my recommendation to users is; don't worry about this incident, it was always under control, although it is annoying to clean up the visible aspects of it.

Gentoo at FOSDEM 2018

Gentoo Linux participated with a stand during this year's FOSDEM 2018, as has been the case for the past several years. Three Gentoo developers had talks this year, Haubi was back with a Gentoo-related talk on Unix? Windows? Gentoo! - POSIX? Win32? Native Portability to the max!, dilfridge talked about Perl in the Physics Lab and bircoph talked about The Invisible Internet Project

 

K_F and chithanh at stand

The "Compile your own button" activity attracted the most attention, even more so than earlier years; as this sample of tweets show:

Whissi, soap, and amynka are busy demonstrating the compiler

We also ran out of coffee mugs, lanyards and t-shirts already during Saturday, so hopefully we can bring some more for next year, at least we had plenty of flyers, which we incidentally ended up with a well spirited in-booth competition with our FreeBSD peers on the highest flyer house.

Speaking of flyers, we also got some comments after the beer fest like

Happy hacking, and see you at next FOSDEM or maybe our Gentoo Miniconf in Prague this October?

I love free software but I love you more

The Free Software Foundation Europe is running its campaign once again this year, and I quote:

In the Free Software society we exchange a lot of criticism. We write bug reports, tell others how they can improve the software, ask them for new features, and generally are not shy about criticising others. There is nothing wrong about that. It helps us to constantly improve. But sometimes we forget to show the hardworking people behind the software our appreciation. We should not underestimate the power of a simple "thank you" to motivate Free Software contributors in their important work for society. The 14th of February (a Sunday this year) is the ideal day to do that.

As part of this campaign the FSFE's FOSDEM stand allowed for sending postcards to projects that matters to users.

This year Gentoo received a post card supporting the future development, I love free software, ... but I love you more:

01_front

With a nicely thank you note hand-written on the back:

02_back

"Thank you for such a powerful and flexible system"

Next year we hope to receive even more postcards, but thank you very much for the one we received this year 🙂

On another note, Gentoo was interviewed during FOSDEM and the recording is available at HPR with Gentoo starting about 1:56:40.