Security

Et tu, Gentoo? Horrible gits meddle with Linux distro's GitHub code

If you downloaded anything from project's hub repos, consider it compromised

By Shaun Nichols in San Francisco

19 SHARE

If you have fetched anything from Gentoo's GitHub-hosted repositories today, dump those files – because hackers have meddled with the open-source project's data.

The Linux distro's officials sounded the alarm on Thursday, revealing someone managed to break into its GitHub organization account to modify software and webpages.

Basically, if you downloaded and installed materials from Gentoo via GitHub, you might be compromised by bringing in malicious code. And until the all clear is given, you should avoid fetching anything from the project's 'hub org account.

"Today, 28 June, at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there," Gentoo dev Alec Warner said in a bulletin.

"We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised."

If there is some good news to be had, it's that Gentoo does not believe the master copies of its code were tampered with – Gentoo keeps master builds separate from its GitHub-hosted wares on servers that were not hacked. Thus, penguinistas should be able to get clean copies of software without much problem via the Gentoo.org website.

"Since the master Gentoo ebuild repository is hosted on our own infrastructure and since GitHub is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org," Warner said.

"Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well."

The alert does not reveal who may have tampered with the code, how they were able to do it, or how long they were able to do it without being caught. Understandably, Gentoo is a bit light on the details as it works out the situation. ®

Sign up to our NewsletterGet IT in your inbox daily

19 Comments

More from The Register

Malware scum want to build a Linux botnet using Mirai

Hadoop YARN is the attack vector, so lock it away

Love Microsoft Teams? Love Linux? Then you won't love this

Updated Learn to love the browser instead

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

SUSE and Microsoft give enterprise Linux an Azure tune-up

Veteran penguin botherer feels the need. For speed

Windows 10 or Cisco Advanced Malware Protection: Pick one

Redmond warns that the malware tool doesn't play nice with the latest upgrade

Arch Linux PDF reader package poisoned

Trust nobody: abandoned code was adopted by a miscreant

WLinux brings a custom Windows Subsystem for Linux experience to the Microsoft Store

What's better than one Linux distro? Dozens of 'em, of course!

Hackers uncork experimental Linux-targeting malware

SSH... it's Shishiga

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

Cover your NASes: QNAP acknowledges mystery malware but there's no patch yet

Anti-antivirus root-rooting weirdness just gets deeper