LWN: Comments on "Gentoo's GitHub mirror compromised"

Gentoo's GitHub mirror compromised

flussence — Sun, 15 Jul 2018 02:23:38 +0000

The wiki that was lost was an unofficial third-party one, and AFAIK the Arch incident was also in third-party package repos.

The distros are to blame for this about as much as Perl is to blame for RHEL shipping an incomplete 10-year-stale perl5 out of the box.

Gentoo's GitHub mirror compromised

antiphase — Thu, 12 Jul 2018 17:00:00 +0000

These are the same people whose (frankly excellent) wiki was entirely lost because no-one considered doing backups.
Arch, whose wiki is probably the spiritual successor of the Gentoo one, also had a similar malware injection this week.

I suspect they are not the distributions of choice of professionals.

Gentoo's GitHub mirror compromised

fratti — Mon, 02 Jul 2018 16:57:02 +0000

As far as I'm aware, someone re-used their linuxforums password on freenode as operator of many high-profile channels such as #haskell, #znc and #gentoo, and apparently also for the Gentoo GitHub org.

Really says a lot about the security hygiene of some people even in the FOSS world.

Gentoo's GitHub mirror compromised

epa — Mon, 02 Jul 2018 06:15:04 +0000

It should be possible to set up a pure ‘mirror’ on Github that clones one or more repositories from an external source, and then never does any operation other than pull changes from those. The pure mirror status would be clearly shown in the Github page heading, and any change away from that would require a new project with a new URI. Then compromise of the downstream mirror would be impossible without compromising the upstream.

You could still have issues and pull requests, but the code changes would have to be manually applied upstream first — or else in a separate Github project.

Gentoo's GitHub mirror compromised

ceplm — Sun, 01 Jul 2018 12:19:06 +0000

I guess they haven't considered it to be the one.

Gentoo's GitHub mirror compromised

pabs — Sat, 30 Jun 2018 11:24:39 +0000

Timeline of events:

https://wiki.gentoo.org/wiki/Github/2018-06-28

Gentoo's GitHub mirror compromised

pabs — Sat, 30 Jun 2018 11:24:02 +0000

Some comments:

https://blog.sumptuouscapital.com/2018/06/my-comments-on-...

Gentoo's GitHub mirror compromised

danieldk — Sat, 30 Jun 2018 09:17:51 +0000

GitHub makes it possible to require two-factor authentication within an organization. One would think that they'd enable that for critical infrastructure.

Gentoo's GitHub mirror compromised

Wol — Fri, 29 Jun 2018 23:32:46 +0000

From the gentoo mailing list, it looks like someone's password was compromised. How that happened isn't yet known ...

Cheers,
Wol

Gentoo's GitHub mirror compromised

flussence — Fri, 29 Jun 2018 19:22:42 +0000

The skill level of the “attack” makes me wonder how easy it was to break in, too.

Gentoo's GitHub mirror compromised

pizza — Fri, 29 Jun 2018 13:53:14 +0000

What I consider to be a far greater concern is _how_ the "github organization" account was compromised.

Gentoo's GitHub mirror compromised

unixbhaskar — Fri, 29 Jun 2018 13:47:28 +0000

This is not a big deal. And I believe Gentoo users are not going get its effect. It's a damn mirror, people generally pull stuff from other places.