Security

Et tu, Gentoo? Horrible gits meddle with Linux distro's GitHub code

If you downloaded anything from project's hub repos, consider it compromised

By Shaun Nichols in San Francisco

19 SHARE

If you have fetched anything from Gentoo's GitHub-hosted repositories today, dump those files – because hackers have meddled with the open-source project's data.

The Linux distro's officials sounded the alarm on Thursday, revealing someone managed to break into its GitHub organization account to modify software and webpages.

Basically, if you downloaded and installed materials from Gentoo via GitHub, you might be compromised by bringing in malicious code. And until the all clear is given, you should avoid fetching anything from the project's 'hub org account.

"Today, 28 June, at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there," Gentoo dev Alec Warner said in a bulletin.

"We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised."

If there is some good news to be had, it's that Gentoo does not believe the master copies of its code were tampered with – Gentoo keeps master builds separate from its GitHub-hosted wares on servers that were not hacked. Thus, penguinistas should be able to get clean copies of software without much problem via the Gentoo.org website.

"Since the master Gentoo ebuild repository is hosted on our own infrastructure and since GitHub is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org," Warner said.

"Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well."

The alert does not reveal who may have tampered with the code, how they were able to do it, or how long they were able to do it without being caught. Understandably, Gentoo is a bit light on the details as it works out the situation. ®

Sign up to our NewsletterGet IT in your inbox daily

19 Comments

More from The Register

SUSE and Microsoft give enterprise Linux an Azure tune-up

Veteran penguin botherer feels the need. For speed

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Arch Linux PDF reader package poisoned

Trust nobody: abandoned code was adopted by a miscreant

Hackers uncork experimental Linux-targeting malware

SSH... it's Shishiga

A fine vintage: Wine has run Microsoft Solitaire on Linux for 25 years

Year of the Linux Desktop imminent for a quarter century

Microsoft ports its Quantum Development Kit to Linux and macOS

Now that it's not Windows-only, you can simulate a theoretical computer on a real computer

Microsoft loves Linux so much its R Open install script rm'd /bin/sh

Machine-learning suite ends its sloppy packaging ways after Debian dev roasts Redmond

Microsoft loves Linux so much it wants someone else to build distros for its Windows Store

WSL blueprint open-sourced to tempt distro makers

Microsoft patched more Malware Protection Engine bugs last week

Redmond's out-of-band advisory landed after the bugs were fixed

Quantum, Linux and Dynamics: That's the week at Microsoft, not a '70s prog rock band

Roundup Sorry to disappoint