View previous topic :: View next topic |
Author |
Message |
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Thu Jun 28, 2018 10:05 pm Post subject: Gentoo github hacked |
|
|
https://gentoo.org/news/2018/06/28/Github-gentoo-org-hacked.html
Quote: | Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised.
This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.
Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well.
All Gentoo commits are signed, and you should verify the integrity of the signatures when using git. |
Well I am using git.gentoo.org so phew but shouldn't aspects of the portage tree be sunk from different infra? ie manifest from one, ebuilds from another _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Thu Jun 28, 2018 10:20 pm Post subject: Arrrgh: Gentoo git on github.com hacked |
|
|
https://www.gentoo.org/ shows:
----
Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised.
This does NOT affect any code hosted on the Gentoo infrastructure.
----
I just had as first line of every ebuld:
rm /*
So I can see, that the aggressor is (hopefully) not any kind of an expert of gentoo systems |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Thu Jun 28, 2018 10:21 pm Post subject: |
|
|
Thanks! I've commented out my nightly sync from crontab and restarted vixie-cron. Then I used scp to copy the tree from one of the workstation boxes that hasn't been updated since Sunday to the central server, in case it was polluted.
EDIT We're seeing that famed Microsoft security. |
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Thu Jun 28, 2018 10:31 pm Post subject: |
|
|
https://github.com/gentoo-mirror/gentoo
might also be affected: I get an enormous .git directory
I just killed the sync while downloading and deleted ... |
|
Back to top |
|
|
Marlo Veteran
Joined: 26 Jul 2003 Posts: 1591
|
Posted: Thu Jun 28, 2018 10:40 pm Post subject: |
|
|
Is this safe or compromised?
Code: |
tux ~ # cat /etc/portage/repos.conf/gentoo.conf
[DEFAULT]
main-repo = gentoo
[gentoo]
location = /usr/portage
sync-type = rsync
sync-uri = rsync://rsync.gentoo.org/gentoo-portage
auto-sync = yes
sync-rsync-verify-jobs = 1
sync-rsync-verify-metamanifest = yes
sync-rsync-verify-max-age = 24
sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc
sync-openpgp-key-refresh-retry-count = 40
sync-openpgp-key-refresh-retry-overall-timeout = 1200
sync-openpgp-key-refresh-retry-delay-exp-base = 2
sync-openpgp-key-refresh-retry-delay-max = 60
sync-openpgp-key-refresh-retry-delay-mult = 4 |
_________________ ------------------------------------------------------------------
http://radio.garden/ |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Thu Jun 28, 2018 10:47 pm Post subject: |
|
|
thats using rsync so that should be ok, especially with the additional checks recently added _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
Whissi Retired Dev
Joined: 12 Jan 2011 Posts: 222
|
Posted: Thu Jun 28, 2018 10:51 pm Post subject: |
|
|
ulenrich wrote: | https://github.com/gentoo-mirror/gentoo
might also be affected: I get an enormous .git directory
I just killed the sync while downloading and deleted ... | No. Please don't spread false rumors. https://github.com/gentoo-mirror is a separate orga account which is not affected.
https://github.com/gentoo-mirror/gentoo is larger because it also contains pre-generated meta data like our rsync mirrors. _________________ Regards,
Whissi |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54099 Location: 56N 3W
|
Posted: Thu Jun 28, 2018 10:55 pm Post subject: |
|
|
Merged the two topics and stuck the result as there will be a lot of community interest. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Fri Jun 29, 2018 1:22 am Post subject: |
|
|
I am pretty sure github.com/gentoo-mirrors
also is hacked: As soon as I realized the github.com/gentoo git is paralized
(I tried to enter the website, but only got response from github via firefox,
that the repository user does not exist)
I did try the github.com/gentoo-mirrors organisation, and experienced:
1. That sync worked the first time on github.com/gentoo-mirrors
2. But because of the trouble before, I had removed all of my scripts at /etc/portage/postsync.d
therefore I repositioned now the scripts to postsync.d and immedeately let follow another "emerge --sync"
... just to let the scripts work after the very soon new sync. Now, I only intended an empty, early sync:
3. emerge --sync on github.com/gentoo-mirrors
got a very lot of new objects now: about 4 times the normal load
4. Because it didn't stop the awful lot to download I interrupted that and
5. deleted all of the portage tree
Until that time, I had not looked at www.gentoo.org for the news ... |
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Fri Jun 29, 2018 1:30 am Post subject: |
|
|
Whissi wrote: | ulenrich wrote: | https://github.com/gentoo-mirror/gentoo
might also be affected: I get an enormous .git directory
I just killed the sync while downloading and deleted ... | No. Please don't spread false rumors. https://github.com/gentoo-mirror is a separate orga account which is not affected.
https://github.com/gentoo-mirror/gentoo is larger because it also contains pre-generated meta data like our rsync mirrors. |
But why my strange experience as I had described above:
The second sync immedeately after the first did download 4 time more new objects!
???
PS: And, is there a way to use that git repository without the metada? |
|
Back to top |
|
|
duane Apprentice
Joined: 03 Jun 2002 Posts: 193 Location: Oklahoma City
|
Posted: Fri Jun 29, 2018 2:12 am Post subject: |
|
|
Tony0945 wrote: | EDIT We're seeing that famed Microsoft security. |
I hate to admit it, but that's one of the first things that popped into my head. Then I started thinking, "This is pretty obvious. Maybe it's a feint, to distract people from a more serious hack."
I hope there's no way any signing keys could be compromised. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Jun 29, 2018 2:22 am Post subject: |
|
|
I doubt anything happened to any keys, but the attacker apparently wasn't very smart to begin with; it's unlikely they'd even know what to do with such a thing if they had it. |
|
Back to top |
|
|
slackline Veteran
Joined: 01 Apr 2005 Posts: 1471 Location: /uk/sheffield
|
Posted: Fri Jun 29, 2018 7:01 am Post subject: |
|
|
For those who sync using git current safe settings are therefore...
/etc/portage/repos.conf/gentoo: |
[DEFAULT]
main-repo = gentoo
[gentoo]
location = /usr/portage
# Disable rsync
#sync-type = rsync
#sync-uri = rsync://rsync.gentoo.org/gentoo-portage
sync-type = git
# Either of these two are fine
#sync-uri = https://github.com/gentoo-mirror/gentoo.git
sync-uri = https://gitweb.gentoo.org/repo/gentoo.git
auto-sync = yes
priority = 1000
|
If you want to switch back to rsync you will likely need to add the following (as emerge reports if you don't have it)...
Code: |
sync-rsync-vcs-ignore = true
|
_________________ "Science is what we understand well enough to explain to a computer. Art is everything else we do." - Donald Knuth |
|
Back to top |
|
|
Marcih Apprentice
Joined: 19 Feb 2018 Posts: 213
|
Posted: Fri Jun 29, 2018 9:31 am Post subject: |
|
|
Looks like summer has officially arrived.
If they had at least taken the time to target Gentoo's actual repositories, the ones 99% of users rsync with. We should be glad that didn't happen, of course. _________________
Bones McCracker wrote: | It wouldn't be so bad, if it didn't suck. |
NeddySeagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
|
|
Back to top |
|
|
marax_faraii n00b
Joined: 11 Apr 2016 Posts: 40
|
Posted: Fri Jun 29, 2018 10:01 am Post subject: Recent news of Gentoo git being hacked |
|
|
I've been using the git repo basically for the only reason it was faster. As I normal user, that matters for some reason unbeknownst
On that note, instead of having it on github, wouldn't it be beneficial for the devs to host on own infrastructure using gitlab? |
|
Back to top |
|
|
simonvanderveldt Apprentice
Joined: 26 Jan 2016 Posts: 151
|
Posted: Fri Jun 29, 2018 10:20 am Post subject: Re: Recent news of Gentoo git being hacked |
|
|
marax_faraii wrote: | I've been using the git repo basically for the only reason it was faster. As I normal user, that matters for some reason unbeknownst
On that note, instead of having it on github, wouldn't it be beneficial for the devs to host on own infrastructure using gitlab? |
It's irrelevant where it's hosted if people with access aren't taking care of their basic security |
|
Back to top |
|
|
f.kater Guru
Joined: 23 May 2002 Posts: 342 Location: Berlin
|
Posted: Fri Jun 29, 2018 11:16 am Post subject: On github hack: Comparing repositories |
|
|
To check whether my git-based portage trees that I downloaded from github are
sane, I've downloaded another portage tree as a tar file which is hopefully
ok.
IMHO comparing the DIST lines of the Manifest entries for all ebuild versions
between the two repos should reveal whether the current repo has compromised
entries, correct?
So, I've been using the following script to do so. You need to adjust the two
path variables portage_check and portage_safe to your local repositories.
Note: Large Manifest files take a while, all in all about 1 hour on my box.
Code: |
#!/bin/bash
portage_check="/usr/portage"
portage_safe="/usr/portage-rsync"
pushd . &> /dev/null
cd ${portage_check}
printf "\n"
for file1 in $(find . -name "Manifest" -print0 | sort -z | xargs -r0)
do
nlines=$(cat ${file1} | wc -l)
count=0
while read -r line
do
count=$((${count} + 1))
printf "\r%-78s" "CHECKING ${file1} (line: ${count}/${nlines})"
IFS=' ' read -r f1 f2 f3 f4 f5 f6 <<<"$line"
if [[ "${f1}" == "DIST" ]]; then
file2=${portage_safe}/${file1}
if [[ ! -f ${file2} ]]; then
printf "\nMANIFEST NOT FOUND: ${file2}\n"
continue
fi
# scan rsync manifest file for this entry
while read -r line2
do
IFS=' ' read -r g1 g2 g3 g4 g5 g6 <<<"$line2"
if [[ "${g1}" == "DIST" && "${g2}" == "${f2}" ]]; then
if [[ "${f5}" != "${g5}" ]]; then
printf "\nHASH DIFFERS: ebuild ${g2}\n"
fi
fi
done <"${file2}"
fi
done <"${file1}"
done
printf "\nDONE\n"
popd &> /dev/null |
[/code] |
|
Back to top |
|
|
Yamakuzure Advocate
Joined: 21 Jun 2006 Posts: 2280 Location: Adendorf, Germany
|
Posted: Fri Jun 29, 2018 11:49 am Post subject: |
|
|
duane wrote: | Tony0945 wrote: | EDIT We're seeing that famed Microsoft security. |
I hate to admit it, but that's one of the first things that popped into my head. | Guys, you do know that Microsoft does not own Github, yet, right? Microsoft wrote: | Subject to customary closing conditions and completion of regulatory review, the acquisition is expected to close by the end of the calendar year. |
_________________ Important German:- "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
- "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
|
|
Back to top |
|
|
AngelKnight Tux's lil' helper
Joined: 14 Jan 2003 Posts: 127
|
Posted: Fri Jun 29, 2018 12:09 pm Post subject: Re: Recent news of Gentoo git being hacked |
|
|
The notice is potentially confusing to folks who didn't know [1] or care that the Gentoo folks maintained more than one Github organization.
An answer to the following question would be useful:
Are URLs that start https://github.com/gentoo-mirror/ safe?
Answers:
For now I'm proceeding with no since that's the safest answer for me, but some explicit clarity on this would make it easier to know what's definitely risky as a result of this compro.
[1] I'm one of those |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 29, 2018 12:23 pm Post subject: Re: Recent news of Gentoo git being hacked |
|
|
AngelKnight wrote: | An answer to the following question would be useful: Are URLs that start https://github.com/gentoo-mirror/ safe? |
AngelKnight ... yes ... 'gentoo-mirror' is a separate account, see here.
best ... khay |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 29, 2018 12:31 pm Post subject: |
|
|
Tony0945 wrote: | EDIT We're seeing that famed Microsoft security. |
duane wrote: | I hate to admit it, but that's one of the first things that popped into my head. |
Yamakuzure wrote: | Guys, you do know that Microsoft does not own Github, yet, right? :wink: |
Yamakuzure ... hold my beer ... you think microsoft would buy it if it didn't suck security wise? ;)
(not that I think the account was compromised by anything other than actions taken by those maintaining the repo).
best ... khay |
|
Back to top |
|
|
dalu Guru
Joined: 20 Jan 2003 Posts: 529
|
Posted: Fri Jun 29, 2018 12:38 pm Post subject: |
|
|
M$ buys Github, Gentoo gets hacked.
It's either an inside job to protest the M$ acquisition, some kids acting stupid or actually M$/affiliates doing their magic.
Either case it's not the 1st time Gentoo repos were "hacked".
And this is just the epitomy of the chaos and intransparency Gentoo is. |
|
Back to top |
|
|
AngelKnight Tux's lil' helper
Joined: 14 Jan 2003 Posts: 127
|
Posted: Fri Jun 29, 2018 12:42 pm Post subject: Re: Recent news of Gentoo git being hacked |
|
|
khayyam wrote: | AngelKnight ... yes ... 'gentoo-mirror' is a separate account, see here.
best ... khay |
Cheers, my search-fu failed. |
|
Back to top |
|
|
Chiitoo Administrator
Joined: 28 Feb 2010 Posts: 2551 Location: Here and Away Again
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 29, 2018 1:20 pm Post subject: |
|
|
f.kater ...
that criteria of validity could only be true of the tree was modified on a gentoo host, the manifests rebuilt subsequently (using 'ebuild' or 'repoman'), and then those changes pushed. If the reports so far suggest anything it's that those responcible have no idea what they were doing ... and so that is highly unlikely to be the case.
... and btw:
f.kater wrote: | Code: | nlines=$(cat ${file1} | wc -l) |
|
... useless use of cat:
Code: | nlines=$(wc -l < "$file") |
best ... khay |
|
Back to top |
|
|
|