LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

kernel.org compromised

kernel.org compromised

Posted Sep 1, 2011 0:44 UTC (Thu) by hmh (subscriber, #3838)
In reply to: kernel.org compromised by yokem_55
Parent article: kernel.org compromised

I would be more worried about all the stuff in mirrors.kernel.org, binaries at boot.kernel.org, as well as the tarballs and diffs...

(Log in to post comments)

kernel.org compromised

Posted Sep 1, 2011 1:12 UTC (Thu) by mtaht (✭ supporter ✭, #11087) [Link]

Breakage into mirrors.kernel.org of anything not protected by a sha1 hash worries me. Even if it was temporary - a day or two - then changed back, people that rely on those mirrors of various distros, pieces of those distros could have been compromised unknowingly.

d@bob-desktop:~/git$ host mirrors.us.kernel.org
mirrors.us.kernel.org has address 149.20.4.71
mirrors.us.kernel.org has IPv6 address 2001:4f8:1:10:1997:313:1:0
mirrors.us.kernel.org mail is handled by 10 hera.kernel.org.
mirrors.us.kernel.org mail is handled by 20 zeus1.kernel.org.
mirrors.us.kernel.org mail is handled by 30 zeus2.kernel.org.
mirrors.us.kernel.org mail is handled by 999 bl-ckh-le.kernel.org.

What bothers me right now is that I remember seeing several updates go by in the past month that weren't verifiable via gpg key on several systems I maintain... and I just did installs of them...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds