On Fri, Jun 29, 2018 at 11:46 AM gevisz <gev...@gmail.com> wrote: > > 2018-06-29 0:15 GMT+03:00 Francisco Blas Izquierdo Riera (klondike) > <klond...@gentoo.org>: > > > > I just want to notify that an attacker has taken control of the Gentoo > > organization in Github and has among other things replaced the portage > > and musl-dev trees with malicious versions of the ebuilds intended to > > try removing all of your files. > > > > Whilst the malicious code shouldn't work as is and GitHub has now > > removed the organization, please don't use any ebuild from the GitHub > > mirror ontained before 28/06/2018, 18:00 GMT until new warning. > > I have heard that Github was bought by MS. So, why not to move to GitLab? >
This has been the subject of a fair bit of discussion actually. However, that alone wouldn't have prevented an attack like this as far as I can tell. That is, the compromise didn't involve anything in Github's control, but just a compromised password. There are plenty of reasons to consider moving to GitLab. Right now the general sentiment seems to be wait-and-see, as gitlab.com is still proprietary and isn't as popular (which was one of the original drivers for having support on Github). What I think would have the bigger impact is if somebody actually came up with a FOSS distributed solution for bug/issue/PR tracking that was decent. Then just as we can have multiple mirrors of the code we could have muliple mirrors of everything else and all of this would be less of an issue. -- Rich
