Security

Et tu, Gentoo? Horrible gits meddle with Linux distro's GitHub code

If you downloaded anything from project's hub repos, consider it compromised

By Shaun Nichols in San Francisco

19 SHARE

If you have fetched anything from Gentoo's GitHub-hosted repositories today, dump those files – because hackers have meddled with the open-source project's data.

The Linux distro's officials sounded the alarm on Thursday, revealing someone managed to break into its GitHub organization account to modify software and webpages.

Basically, if you downloaded and installed materials from Gentoo via GitHub, you might be compromised by bringing in malicious code. And until the all clear is given, you should avoid fetching anything from the project's 'hub org account.

"Today, 28 June, at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there," Gentoo dev Alec Warner said in a bulletin.

"We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised."

If there is some good news to be had, it's that Gentoo does not believe the master copies of its code were tampered with – Gentoo keeps master builds separate from its GitHub-hosted wares on servers that were not hacked. Thus, penguinistas should be able to get clean copies of software without much problem via the Gentoo.org website.

"Since the master Gentoo ebuild repository is hosted on our own infrastructure and since GitHub is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org," Warner said.

"Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well."

The alert does not reveal who may have tampered with the code, how they were able to do it, or how long they were able to do it without being caught. Understandably, Gentoo is a bit light on the details as it works out the situation. ®

Sign up to our NewsletterGet IT in your inbox daily

19 Comments

More from The Register

2001: Linux is cancer, says Microsoft. 2019: Hey friends, ah, can we join the official linux-distros mailing list, plz?

Windows giant cheered on by Linux Foundation as it seeks membership of private security-focused message board

Meet the Great Duke of... DLL: Microsoft shines light on Astaroth, a devilishly sneaky strain of fileless malware

DLL or no DLL?

Hitting Microsoft's metal: SUSE flings Enterprise Linux at SAP HANA on Azure

SUSECON '19 Fancy a slice of SLES for SAP?

The Year Of Linux On The Desktop – at last! Windows Subsystem for Linux 2 brings the Linux kernel into Windows

Build Also: A new Windows Terminal is here and on GitHub

Malware scum want to build a Linux botnet using Mirai

Hadoop YARN is the attack vector, so lock it away

Sorry, Linux. We know you want to be popular, but cyber-crooks are all about Microsoft for now

Oh, and Flash! Arrrrrggghhh

Windows Subsystem for Linux distro gets a preening, updated version waddles into Microsoft's app store

If you're feeling a little bit Linux, p-p-p-pick up a p-p-p-Pengwin...1.2

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Love Microsoft Teams? Love Linux? Then you won't love this

Updated Learn to love the browser instead

SUSE and Microsoft give enterprise Linux an Azure tune-up

Veteran penguin botherer feels the need. For speed