Sourceforge.net briefly reported
an attack on its infrastructure on Thursday January 27 that resulted in some services (CVS, interactive ssh shells, and others) being suspended. More details were released
on January 29, which show that the attack exploited a privilege escalation to root in one of the Sourceforge services. "Its better to be safe than sorry, so weve decided to perform a comprehensive validation of project data from file releases, to SCM commits. We will compare data [against] pre-attack backups, and will identify changed and added. We will review that data, and will will also refer anything suspicious to individual project teams for further assessment as needed.
The validation work is a precaution, because while we dont have evidence of any data tampering, wed much prefer to burn a bunch of CPU cycles verifying everything than to discover later that some extra special trickery lead to some undetected badness.
to post comments)