Security

Et tu, Gentoo? Horrible gits meddle with Linux distro's GitHub code

If you downloaded anything from project's hub repos, consider it compromised

By Shaun Nichols in San Francisco

19 SHARE

If you have fetched anything from Gentoo's GitHub-hosted repositories today, dump those files – because hackers have meddled with the open-source project's data.

The Linux distro's officials sounded the alarm on Thursday, revealing someone managed to break into its GitHub organization account to modify software and webpages.

Basically, if you downloaded and installed materials from Gentoo via GitHub, you might be compromised by bringing in malicious code. And until the all clear is given, you should avoid fetching anything from the project's 'hub org account.

"Today, 28 June, at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there," Gentoo dev Alec Warner said in a bulletin.

"We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised."

If there is some good news to be had, it's that Gentoo does not believe the master copies of its code were tampered with – Gentoo keeps master builds separate from its GitHub-hosted wares on servers that were not hacked. Thus, penguinistas should be able to get clean copies of software without much problem via the Gentoo.org website.

"Since the master Gentoo ebuild repository is hosted on our own infrastructure and since GitHub is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org," Warner said.

"Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well."

The alert does not reveal who may have tampered with the code, how they were able to do it, or how long they were able to do it without being caught. Understandably, Gentoo is a bit light on the details as it works out the situation. ®

Sign up to our NewsletterGet IT in your inbox daily

19 Comments

More from The Register

Oracle Database 18: Now in downloadable Linux flavour

Oh, and Windows, but cool kids don't use that

Oracle wants to improve Linux load balancing and failover

Native to ordinary interfaces, Big Red reckons bonded channels are needed for RDMA

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Oracle Linux now supported on 64-bit Armv8 processors

Big Red wants ‘very viable server/cloud platform for Arm’ so adds MySQL, Docker, Java efforts under way too

Love Microsoft Teams? Love Linux? Then you won't love this

Updated Learn to love the browser instead

SUSE and Microsoft give enterprise Linux an Azure tune-up

Veteran penguin botherer feels the need. For speed

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

WLinux brings a custom Windows Subsystem for Linux experience to the Microsoft Store

What's better than one Linux distro? Dozens of 'em, of course!

Hackers uncork experimental Linux-targeting malware

SSH... it's Shishiga

A fine vintage: Wine has run Microsoft Solitaire on Linux for 25 years

Year of the Linux Desktop imminent for a quarter century