On Thu, Jun 28, 2018 at 8:55 PM, Duane Robertson
<du...@duanerobertson.com> wrote:
> On Thu, 28 Jun 2018 23:15:36 +0200
> "Francisco Blas Izquierdo Riera (klondike)" <klond...@gentoo.org> wrote:
>
>> Hi!
>>
>> I just want to notify that an attacker has taken control of the Gentoo
>> organization in Github and has among other things replaced the portage
>> and musl-dev trees with malicious versions of the ebuilds intended to
>> try removing all of your files.
>>
>> Whilst the malicious code shouldn't work as is and GitHub has now
>> removed the organization, please don't use any ebuild from the GitHub
>> mirror ontained before 28/06/2018, 18:00 GMT until new warning.
>>
>> Sincerely,
>> Francisco Blas Izquierdo Riera (klondike)
>> Gentoo developer.
>>
>>
>
> Is it at all likely that any signing keys have been compromised? I
> can't think of how that would happen, but I don't know much about the
> situation.
>
It is my understanding release engineering maintains separate keys
explicitly to prevent situations like this from getting worse.
But, the same machine which was compromised (if a machine was
compromised) likely had commit signing keys. Considering the size of
Gentoo I think GitHub would respond to a request for information on
who added the malicious account to the project if that information is
not already available.
Considering what was done it could be assumed that no access to the
master repository was available. If so, any change pushed to the
mirror might have been far easier to notice and the attacker could
have considered their GitHub access worthless.
I'm not sure the above is a reasonable assessment; someone likely just
burned access easily worth multiple millions of dollars in CPU time.
Other infrastructure should be under scrutiny for past exploitation.
Cheers,
R0b0t1
