[gentoo-user] Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[gentoo-user] Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 542 bytes --]

Hi!

I just want to notify that an attacker has taken control of the Gentoo
organization in Github and has among other things replaced the portage
and musl-dev trees with malicious versions of the ebuilds intended to
try removing all of your files.

Whilst the malicious code shouldn't work as is and GitHub has now
removed the organization, please don't use any ebuild from the GitHub
mirror ontained before 28/06/2018, 18:00 GMT  until new warning.

Sincerely,
Francisco Blas Izquierdo Riera (klondike)
Gentoo developer.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 796 bytes --]

El 28/06/18 a las 23:15, Francisco Blas Izquierdo Riera (klondike) escribió:
> Hi!
>
> I just want to notify that an attacker has taken control of the Gentoo
> organization in Github and has among other things replaced the portage
> and musl-dev trees with malicious versions of the ebuilds intended to
> try removing all of your files.
>
> Whilst the malicious code shouldn't work as is and GitHub has now
> removed the organization, please don't use any ebuild from the GitHub
> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
>
> Sincerely,
> Francisco Blas Izquierdo Riera (klondike)
> Gentoo developer.
>
>
Just to keep up with it. There is a more complete article published at
https://www.gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Mick]

[-- Attachment #1: Type: text/plain, Size: 992 bytes --]

On Thursday, 28 June 2018 22:54:45 BST Francisco Blas Izquierdo Riera 
(klondike) wrote:
> El 28/06/18 a las 23:15, Francisco Blas Izquierdo Riera (klondike) escribió:
> > Hi!
> > 
> > I just want to notify that an attacker has taken control of the Gentoo
> > organization in Github and has among other things replaced the portage
> > and musl-dev trees with malicious versions of the ebuilds intended to
> > try removing all of your files.
> > 
> > Whilst the malicious code shouldn't work as is and GitHub has now
> > removed the organization, please don't use any ebuild from the GitHub
> > mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
> > 
> > Sincerely,
> > Francisco Blas Izquierdo Riera (klondike)
> > Gentoo developer.
> 
> Just to keep up with it. There is a more complete article published at
> https://www.gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html

Thanks for letting us know, but how did this happen?

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 1249 bytes --]

El 29/06/18 a las 00:27, Mick escribió:
> On Thursday, 28 June 2018 22:54:45 BST Francisco Blas Izquierdo Riera 
> (klondike) wrote:
>> El 28/06/18 a las 23:15, Francisco Blas Izquierdo Riera (klondike) escribió:
>>> Hi!
>>>
>>> I just want to notify that an attacker has taken control of the Gentoo
>>> organization in Github and has among other things replaced the portage
>>> and musl-dev trees with malicious versions of the ebuilds intended to
>>> try removing all of your files.
>>>
>>> Whilst the malicious code shouldn't work as is and GitHub has now
>>> removed the organization, please don't use any ebuild from the GitHub
>>> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
>>>
>>> Sincerely,
>>> Francisco Blas Izquierdo Riera (klondike)
>>> Gentoo developer.
>> Just to keep up with it. There is a more complete article published at
>> https://www.gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html
> Thanks for letting us know, but how did this happen?
I don't think there is an official timeline yet. We suspect the github
account of an administrator was compromissed.

I just brought up the heads up when I noticed that the protage tree had
been modified to contain harmful code.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Duane Robertson]

On Thu, 28 Jun 2018 23:15:36 +0200
"Francisco Blas Izquierdo Riera (klondike)" <klondike@gentoo.org> wrote:

> Hi!
> 
> I just want to notify that an attacker has taken control of the Gentoo
> organization in Github and has among other things replaced the portage
> and musl-dev trees with malicious versions of the ebuilds intended to
> try removing all of your files.
> 
> Whilst the malicious code shouldn't work as is and GitHub has now
> removed the organization, please don't use any ebuild from the GitHub
> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
> 
> Sincerely,
> Francisco Blas Izquierdo Riera (klondike)
> Gentoo developer.
> 
> 

Is it at all likely that any signing keys have been compromised? I
can't think of how that would happen, but I don't know much about the
situation.

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[R0b0t1]

On Thu, Jun 28, 2018 at 8:55 PM, Duane Robertson
<duane@duanerobertson.com> wrote:
> On Thu, 28 Jun 2018 23:15:36 +0200
> "Francisco Blas Izquierdo Riera (klondike)" <klondike@gentoo.org> wrote:
>
>> Hi!
>>
>> I just want to notify that an attacker has taken control of the Gentoo
>> organization in Github and has among other things replaced the portage
>> and musl-dev trees with malicious versions of the ebuilds intended to
>> try removing all of your files.
>>
>> Whilst the malicious code shouldn't work as is and GitHub has now
>> removed the organization, please don't use any ebuild from the GitHub
>> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
>>
>> Sincerely,
>> Francisco Blas Izquierdo Riera (klondike)
>> Gentoo developer.
>>
>>
>
> Is it at all likely that any signing keys have been compromised? I
> can't think of how that would happen, but I don't know much about the
> situation.
>

It is my understanding release engineering maintains separate keys
explicitly to prevent situations like this from getting worse.

But, the same machine which was compromised (if a machine was
compromised) likely had commit signing keys. Considering the size of
Gentoo I think GitHub would respond to a request for information on
who added the malicious account to the project if that information is
not already available.


Considering what was done it could be assumed that no access to the
master repository was available. If so, any change pushed to the
mirror might have been far easier to notice and the attacker could
have considered their GitHub access worthless.

I'm not sure the above is a reasonable assessment; someone likely just
burned access easily worth multiple millions of dollars in CPU time.
Other infrastructure should be under scrutiny for past exploitation.

Cheers,
     R0b0t1

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Ivan J.]

On Fri, Jun 29, 2018 at 03:12:15AM +0200, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 29/06/18 a las 00:27, Mick escribió:
> > On Thursday, 28 June 2018 22:54:45 BST Francisco Blas Izquierdo Riera 
> > (klondike) wrote:
> >> El 28/06/18 a las 23:15, Francisco Blas Izquierdo Riera (klondike) escribió:
> >>> Hi!
> >>>
> >>> I just want to notify that an attacker has taken control of the Gentoo
> >>> organization in Github and has among other things replaced the portage
> >>> and musl-dev trees with malicious versions of the ebuilds intended to
> >>> try removing all of your files.
> >>>
> >>> Whilst the malicious code shouldn't work as is and GitHub has now
> >>> removed the organization, please don't use any ebuild from the GitHub
> >>> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
> >>>
> >>> Sincerely,
> >>> Francisco Blas Izquierdo Riera (klondike)
> >>> Gentoo developer.
> >> Just to keep up with it. There is a more complete article published at
> >> https://www.gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html
> > Thanks for letting us know, but how did this happen?
> I don't think there is an official timeline yet. We suspect the github
> account of an administrator was compromissed.
> 
> I just brought up the heads up when I noticed that the protage tree had
> been modified to contain harmful code.

Do you have this code somewhere now? Any chance of seeing what happened?

-- 
~ parazyd
GnuPG: 03337671FDE75BB6A85EC91FB876CB44FA1B0274
GnuPG: https://parazyd.org/fa1b0274.asc

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 1856 bytes --]

El 29/06/18 a las 09:47, Ivan J. escribió:
> On Fri, Jun 29, 2018 at 03:12:15AM +0200, Francisco Blas Izquierdo Riera (klondike) wrote:
>> El 29/06/18 a las 00:27, Mick escribió:
>>> On Thursday, 28 June 2018 22:54:45 BST Francisco Blas Izquierdo Riera 
>>> (klondike) wrote:
>>>> El 28/06/18 a las 23:15, Francisco Blas Izquierdo Riera (klondike) escribió:
>>>>> Hi!
>>>>>
>>>>> I just want to notify that an attacker has taken control of the Gentoo
>>>>> organization in Github and has among other things replaced the portage
>>>>> and musl-dev trees with malicious versions of the ebuilds intended to
>>>>> try removing all of your files.
>>>>>
>>>>> Whilst the malicious code shouldn't work as is and GitHub has now
>>>>> removed the organization, please don't use any ebuild from the GitHub
>>>>> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
>>>>>
>>>>> Sincerely,
>>>>> Francisco Blas Izquierdo Riera (klondike)
>>>>> Gentoo developer.
>>>> Just to keep up with it. There is a more complete article published at
>>>> https://www.gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html
>>> Thanks for letting us know, but how did this happen?
>> I don't think there is an official timeline yet. We suspect the github
>> account of an administrator was compromissed.
>>
>> I just brought up the heads up when I noticed that the protage tree had
>> been modified to contain harmful code.
> Do you have this code somewhere now? Any chance of seeing what happened?
>
Sadly no, I tried to obtain it from my browser cache with no luck. I
have two of the malicious commit ids though:
49464b7316dbd7bbfe878cb3da4817c39a6cf11c and
e6db0eb4f76cb920e49a6afc3af067c3d5e4b82b


What I noticed was a clear rm -rf /* as the first line on all ebuilds
but there may have been a more subtle attack too.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 1173 bytes --]

El 29/06/18 a las 03:55, Duane Robertson escribió:
> On Thu, 28 Jun 2018 23:15:36 +0200
> "Francisco Blas Izquierdo Riera (klondike)" <klondike@gentoo.org> wrote:
>
>> Hi!
>>
>> I just want to notify that an attacker has taken control of the Gentoo
>> organization in Github and has among other things replaced the portage
>> and musl-dev trees with malicious versions of the ebuilds intended to
>> try removing all of your files.
>>
>> Whilst the malicious code shouldn't work as is and GitHub has now
>> removed the organization, please don't use any ebuild from the GitHub
>> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
>>
>> Sincerely,
>> Francisco Blas Izquierdo Riera (klondike)
>> Gentoo developer.
>>
>>
> Is it at all likely that any signing keys have been compromised? I
> can't think of how that would happen, but I don't know much about the
> situation.
>
If you mean the release signing key the answer is a clear no according
to infra's forensics. If you mean specific developers' keys it is
unlikely but not fully impossible as we still don't know how the
attackers got hold of the compromised accounts.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[R0b0t1]

On Fri, Jun 29, 2018 at 7:19 AM, Francisco Blas Izquierdo Riera
(klondike) <klondike@gentoo.org> wrote:
> El 29/06/18 a las 03:55, Duane Robertson escribió:
>> On Thu, 28 Jun 2018 23:15:36 +0200
>> "Francisco Blas Izquierdo Riera (klondike)" <klondike@gentoo.org> wrote:
>>
>>> Hi!
>>>
>>> I just want to notify that an attacker has taken control of the Gentoo
>>> organization in Github and has among other things replaced the portage
>>> and musl-dev trees with malicious versions of the ebuilds intended to
>>> try removing all of your files.
>>>
>>> Whilst the malicious code shouldn't work as is and GitHub has now
>>> removed the organization, please don't use any ebuild from the GitHub
>>> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
>>>
>>> Sincerely,
>>> Francisco Blas Izquierdo Riera (klondike)
>>> Gentoo developer.
>>>
>>>
>> Is it at all likely that any signing keys have been compromised? I
>> can't think of how that would happen, but I don't know much about the
>> situation.
>>
> If you mean the release signing key the answer is a clear no according
> to infra's forensics. If you mean specific developers' keys it is
> unlikely but not fully impossible as we still don't know how the
> attackers got hold of the compromised accounts.
>

I can't help but notice this was moved to gentoo-user. Are posts to
gentoo-dev being moderated properly, or should I not bother submitting
anything?

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Dale]

R0b0t1 wrote:
>
> I can't help but notice this was moved to gentoo-user. Are posts to
> gentoo-dev being moderated properly, or should I not bother submitting
> anything?
>
>

I suspect it was done to let users know about the breach.  Otherwise,
anyone who syncs using the git thingy wouldn't know it is hacked and
shouldn't be trusted. 

I could be wrong but that's my guess.

Dale

:-)  :-) 

Re: [gentoo-user] Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[gevisz]

2018-06-29 0:15 GMT+03:00 Francisco Blas Izquierdo Riera (klondike)
<klondike@gentoo.org>:
>
> I just want to notify that an attacker has taken control of the Gentoo
> organization in Github and has among other things replaced the portage
> and musl-dev trees with malicious versions of the ebuilds intended to
> try removing all of your files.
>
> Whilst the malicious code shouldn't work as is and GitHub has now
> removed the organization, please don't use any ebuild from the GitHub
> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.

I have heard that Github was bought by MS. So, why not to move to GitLab?

Re: [gentoo-user] Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Rich Freeman]

On Fri, Jun 29, 2018 at 11:46 AM gevisz <gevisz@gmail.com> wrote:
>
> 2018-06-29 0:15 GMT+03:00 Francisco Blas Izquierdo Riera (klondike)
> <klondike@gentoo.org>:
> >
> > I just want to notify that an attacker has taken control of the Gentoo
> > organization in Github and has among other things replaced the portage
> > and musl-dev trees with malicious versions of the ebuilds intended to
> > try removing all of your files.
> >
> > Whilst the malicious code shouldn't work as is and GitHub has now
> > removed the organization, please don't use any ebuild from the GitHub
> > mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
>
> I have heard that Github was bought by MS. So, why not to move to GitLab?
>

This has been the subject of a fair bit of discussion actually.
However, that alone wouldn't have prevented an attack like this as far
as I can tell.  That is, the compromise didn't involve anything in
Github's control, but just a compromised password.

There are plenty of reasons to consider moving to GitLab.  Right now
the general sentiment seems to be wait-and-see, as gitlab.com is still
proprietary and isn't as popular (which was one of the original
drivers for having support on Github).  What I think would have the
bigger impact is if somebody actually came up with a FOSS distributed
solution for bug/issue/PR tracking that was decent.  Then just as we
can have multiple mirrors of the code we could have muliple mirrors of
everything else and all of this would be less of an issue.

-- 
Rich

Re: [gentoo-user] Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Peter Humphrey]

On Thursday, 28 June 2018 22:15:36 BST Francisco Blas Izquierdo Riera 
(klondike) wrote:
> Hi!
> 
> I just want to notify that an attacker has taken control of the Gentoo
> organization in Github and has among other things replaced the portage
> and musl-dev trees with malicious versions of the ebuilds intended to
> try removing all of your files.
> 
> Whilst the malicious code shouldn't work as is and GitHub has now
> removed the organization, please don't use any ebuild from the GitHub
> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.

Does this mean that we're safe to use anything from after your warning?

-- 
Regards,
Peter.

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 237 bytes --]

Am Freitag, 29. Juni 2018, 17:11:36 CEST schrieb Dale:
> git thingy

Heh, a true Dale-ism if I ever saw one ;-) .

-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 592 bytes --]

El 29/06/18 a las 17:11, Dale escribió:
> R0b0t1 wrote:
>> I can't help but notice this was moved to gentoo-user. Are posts to
>> gentoo-dev being moderated properly, or should I not bother submitting
>> anything?
>>
>>
> I suspect it was done to let users know about the breach.  Otherwise,
> anyone who syncs using the git thingy wouldn't know it is hacked and
> shouldn't be trusted. 
>
> I could be wrong but that's my guess.
That was indeed the point. When I submitted this I saw the rm -rf /* on
the ebuilds and wanted to make as little people as possible hit by it.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Francisco Blas Izquierdo Riera (klondike)]

[-- Attachment #1.1: Type: text/plain, Size: 899 bytes --]

El 29/06/18 a las 18:33, Peter Humphrey escribió:
> On Thursday, 28 June 2018 22:15:36 BST Francisco Blas Izquierdo Riera 
> (klondike) wrote:
>> Hi!
>>
>> I just want to notify that an attacker has taken control of the Gentoo
>> organization in Github and has among other things replaced the portage
>> and musl-dev trees with malicious versions of the ebuilds intended to
>> try removing all of your files.
>>
>> Whilst the malicious code shouldn't work as is and GitHub has now
>> removed the organization, please don't use any ebuild from the GitHub
>> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
> Does this mean that we're safe to use anything from after your warning?
>
It means you are safe to use anything from official Gentoo sources other
than GitHub. As of now even GitHub should be okay as there was a force
push to restore the repositories.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Rich Freeman]

On Sat, Jun 30, 2018 at 9:54 AM Francisco Blas Izquierdo Riera
(klondike) <klondike@gentoo.org> wrote:
>
> El 29/06/18 a las 18:33, Peter Humphrey escribió:
> > On Thursday, 28 June 2018 22:15:36 BST Francisco Blas Izquierdo Riera
> > (klondike) wrote:
> >> Hi!
> >>
> >> I just want to notify that an attacker has taken control of the Gentoo
> >> organization in Github and has among other things replaced the portage
> >> and musl-dev trees with malicious versions of the ebuilds intended to
> >> try removing all of your files.
> >>
> >> Whilst the malicious code shouldn't work as is and GitHub has now
> >> removed the organization, please don't use any ebuild from the GitHub
> >> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
> > Does this mean that we're safe to use anything from after your warning?
> >
> It means you are safe to use anything from official Gentoo sources other
> than GitHub. As of now even GitHub should be okay as there was a force
> push to restore the repositories.
>

If you are using git syncing I believe that portage will verify that
the top commit (which is the only one that really matters) is using a
trusted key if you put the following line in repos.conf for the
repository:
sync-git-verify-commit-signature = true

Obviously this only works with repositories signed by one of the Gentoo keys.

I couldn't find documentation on this option.  Is there an option like
this that lets you provide your own list of trusted keys, such as for
a mirror?  It looks like portage is just looking at a .asc with a
bunch of keys in it and checking that one of them signed the top
commit.  Presumably you could provide your own .asc of trusted keys
and use that for other repos that are signed.

Assuming this works (I didn't actually test it with a bad top commit),
it would have prevented this particular attack, or any other that
didn't compromise the Gentoo keys.

-- 
Rich

[gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Nikos Chantziaras]

On 30/06/18 19:15, Rich Freeman wrote:
> On Sat, Jun 30, 2018 at 9:54 AM Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>>
>> El 29/06/18 a las 18:33, Peter Humphrey escribió:
>>> On Thursday, 28 June 2018 22:15:36 BST Francisco Blas Izquierdo Riera
>>> (klondike) wrote:
>>>> [...]
>>>> Whilst the malicious code shouldn't work as is and GitHub has now
>>>> removed the organization, please don't use any ebuild from the GitHub
>>>> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
>>> Does this mean that we're safe to use anything from after your warning?
>>>
>> It means you are safe to use anything from official Gentoo sources other
>> than GitHub. As of now even GitHub should be okay as there was a force
>> push to restore the repositories.
>>
> 
> If you are using git syncing I believe that portage will verify that
> the top commit (which is the only one that really matters) is using a
> trusted key if you put the following line in repos.conf for the
> repository:
> sync-git-verify-commit-signature = true
> 
> Obviously this only works with repositories signed by one of the Gentoo keys.
> [...]

When using git to sync portage, aren't you supposed to use:

   git://anongit.gentoo.org/repo/sync/gentoo.git

anyway instead of GitHub?

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[zless]

În ziua de sâmbătă, 30 iunie 2018, la 16:52:09 EEST, Francisco Blas Izquierdo Riera (klondike) a scris:
> El 29/06/18 a las 17:11, Dale escribió:
> > R0b0t1 wrote:
> >> I can't help but notice this was moved to gentoo-user. Are posts to
> >> gentoo-dev being moderated properly, or should I not bother submitting
> >> anything?
> >>
> >>
> > I suspect it was done to let users know about the breach.  Otherwise,
> > anyone who syncs using the git thingy wouldn't know it is hacked and
> > shouldn't be trusted. 
> >
> > I could be wrong but that's my guess.
> That was indeed the point. When I submitted this I saw the rm -rf /* on
> the ebuilds and wanted to make as little people as possible hit by it.
> 

Anyone tested if the "rm -rf /*" thing works inside the portage sandbox?

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Dale]

Francisco Blas Izquierdo Riera (klondike) wrote:
> El 29/06/18 a las 17:11, Dale escribió:
>> R0b0t1 wrote:
>>> I can't help but notice this was moved to gentoo-user. Are posts to
>>> gentoo-dev being moderated properly, or should I not bother submitting
>>> anything?
>>>
>>>
>> I suspect it was done to let users know about the breach.  Otherwise,
>> anyone who syncs using the git thingy wouldn't know it is hacked and
>> shouldn't be trusted. 
>>
>> I could be wrong but that's my guess.
> That was indeed the point. When I submitted this I saw the rm -rf /* on
> the ebuilds and wanted to make as little people as possible hit by it.
>


Well, I don't use the git thingy but even I sure appreciate the notice. 
At least if something like this happens, someone is trying to alert
everyone about it that even MAY be affected.  My first thought, someone
is just trying to spook us.  Then I saw it was from a @gentoo.org
email.  Then it was like, oops.  No syncing for a little while.  ;-) 

Thanks much for the warning.  :-D 

Dale

:-)  :-) 

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Rich Freeman]

On Sat, Jun 30, 2018 at 12:50 PM Nikos Chantziaras <realnc@gmail.com> wrote:
>
> On 30/06/18 19:15, Rich Freeman wrote:
> >
> > If you are using git syncing I believe that portage will verify that
> > the top commit (which is the only one that really matters) is using a
> > trusted key if you put the following line in repos.conf for the
> > repository:
> > sync-git-verify-commit-signature = true
> >
> > Obviously this only works with repositories signed by one of the Gentoo keys.
>
> When using git to sync portage, aren't you supposed to use:
>
>    git://anongit.gentoo.org/repo/sync/gentoo.git
>
> anyway instead of GitHub?
>

A few comments there:

1.  That particular repository isn't ideal since it lacks metadata.
You'll benefit from the better performance of git vs rsync, but you'll
lose out regenerating the cache.  It is of course the right place to
pull for patches/etc.
2.  The gentoo-mirror stable branch that benefits from CI+metadata
isn't available on Gentoo infra as far as I'm aware.
3.  No matter where you're syncing from, it still makes sense to
verify the gpg signatures.  This time it was github being compromised,
but what if a mirror or a gentoo infra server had been compromised?
Granted, in some of those scenarios gpg wouldn't help, but it will
definitely defeat some attacks, so it is beneficial to test it.  If
gpg doesn't verify the repository, you probably don't want to be using
it without some attention.

All that said, I'm not sure what portage even does if it fails to
verify.  The git pull was already done, so does it just output an
error but still leave the corrupt tree out there for any subsequent
emerge commands to see?  Or does it do something to make the tree
invalid?

-- 
Rich

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Mart Raudsepp]

[-- Attachment #1: Type: text/plain, Size: 1484 bytes --]

Ühel kenal päeval, L, 30.06.2018 kell 15:33, kirjutas Rich Freeman:
> On Sat, Jun 30, 2018 at 12:50 PM Nikos Chantziaras <realnc@gmail.com>
> wrote:
> > 
> > On 30/06/18 19:15, Rich Freeman wrote:
> > > 
> > > If you are using git syncing I believe that portage will verify
> > > that
> > > the top commit (which is the only one that really matters) is
> > > using a
> > > trusted key if you put the following line in repos.conf for the
> > > repository:
> > > sync-git-verify-commit-signature = true
> > > 
> > > Obviously this only works with repositories signed by one of the
> > > Gentoo keys.
> > 
> > When using git to sync portage, aren't you supposed to use:
> > 
> >    git://anongit.gentoo.org/repo/sync/gentoo.git
> > 
> > anyway instead of GitHub?
> > 
> 
> A few comments there:
> 
> 1.  That particular repository isn't ideal since it lacks metadata.
> You'll benefit from the better performance of git vs rsync, but
> you'll
> lose out regenerating the cache.  It is of course the right place to
> pull for patches/etc.
> 2.  The gentoo-mirror stable branch that benefits from CI+metadata
> isn't available on Gentoo infra as far as I'm aware.

That repo/sync/gentoo.git is EXACTLY that. Same thing as gentoo-mirror
on GH. Has metadata cache and is pushed only to if CI passes.
I think the underlying setup just pushes to both gentoo-mirror and
there now.

Note the /sync/ in path, it's not the main tree devs push to.


Mart

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

Re: [gentoo-user] Re: Hostile takeover of our github mirror. Don't use ebuild from there until new warning!

[Ilya Trukhanov]

On 06/29/2018 10:47 AM, Ivan J. wrote:
> On Fri, Jun 29, 2018 at 03:12:15AM +0200, Francisco Blas Izquierdo Riera (klondike) wrote:
>> El 29/06/18 a las 00:27, Mick escribió:
>>> On Thursday, 28 June 2018 22:54:45 BST Francisco Blas Izquierdo Riera
>>> (klondike) wrote:
>>>> El 28/06/18 a las 23:15, Francisco Blas Izquierdo Riera (klondike) escribió:
>>>>> Hi!
>>>>>
>>>>> I just want to notify that an attacker has taken control of the Gentoo
>>>>> organization in Github and has among other things replaced the portage
>>>>> and musl-dev trees with malicious versions of the ebuilds intended to
>>>>> try removing all of your files.
>>>>>
>>>>> Whilst the malicious code shouldn't work as is and GitHub has now
>>>>> removed the organization, please don't use any ebuild from the GitHub
>>>>> mirror ontained before 28/06/2018, 18:00 GMT  until new warning.
>>>>>
>>>>> Sincerely,
>>>>> Francisco Blas Izquierdo Riera (klondike)
>>>>> Gentoo developer.
>>>> Just to keep up with it. There is a more complete article published at
>>>> https://www.gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html
>>> Thanks for letting us know, but how did this happen?
>> I don't think there is an official timeline yet. We suspect the github
>> account of an administrator was compromissed.
>>
>> I just brought up the heads up when I noticed that the protage tree had
>> been modified to contain harmful code.
> Do you have this code somewhere now? Any chance of seeing what happened?
>
Nothing interesting, they simply prepended every ebuild with "rm -rf 
/*". Pretty sure this wouldn't even do anything because of sandbox.