View previous topic :: View next topic |
Author |
Message |
f.kater Guru
Joined: 23 May 2002 Posts: 342 Location: Berlin
|
Posted: Fri Jun 29, 2018 1:37 pm Post subject: |
|
|
khayyam wrote: | f.kater ...
that criteria of validity could only be true of the tree was modified on a
gentoo host, the manifests rebuilt subsequently (using 'ebuild' or 'repoman'),
and then those changes pushed. If the reports so far suggest anything it's
that those responcible have no idea what they were doing ... and so that is
highly unlikely to be the case.
|
Thanks but I don't get your point. If not Manifests how would you compare two
portage trees to make sure the used one is sane? |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Jun 29, 2018 1:42 pm Post subject: |
|
|
git log --show-signature |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 29, 2018 1:50 pm Post subject: |
|
|
f.kater wrote: | Thanks but I don't get your point. If not Manifests how would you compare two portage trees to make sure the used one is sane? |
f.kater ... but you know one of them is "sane" right? So, what are you looking for? If you want to know what files were modified, and where, you're better off diff'ing the tree(s), because most likely (I'd say 99.9999%) the manifests weren't regenerated (and so your check will reveal nothing).
best ... khay |
|
Back to top |
|
|
Moonboots Apprentice
Joined: 02 Dec 2006 Posts: 161
|
Posted: Fri Jun 29, 2018 1:55 pm Post subject: |
|
|
A compromised account. Looks like we may have got off lightly
Quote: | Some members may have to add 2FA to their GitHub accounts first. | Nuff said |
|
Back to top |
|
|
f.kater Guru
Joined: 23 May 2002 Posts: 342 Location: Berlin
|
Posted: Fri Jun 29, 2018 2:10 pm Post subject: |
|
|
Maybe this is obsolete as checking signatures might be a shorter solution.
Besides that:
khayyam wrote: |
f.kater ... but you know one of them is "sane" right? So, what are you looking
for? If you want to know what files were modified, and where, you're better
off diff'ing the tree(s) |
Have you tried? Diffing two trees while one is via github, some weeks old, and
the other current (supposedly ok) and from a tar archive? They differ a lot.
So I came up reading out the Manifest entries.
khayyam wrote: | because most likely (I'd say 99.9999%) the manifests weren't
regenerated (and so your check will reveal nothing). best ... khay |
I would like find out if I received and maybe even installed invalid packages.
I assume that installing packages is prevented from when the hashes do not
match.
But you state Manifests are most likely not affected.
If so, please elaborate a bit, especially on a hacked github mirror.
If not what's the buzz at all?
Thanks...! |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 29, 2018 2:37 pm Post subject: |
|
|
khayyam wrote: | f.kater ... but you know one of them is "sane" right? So, what are you looking for? If you want to know what files were modified, and where, you're better off diff'ing the tree(s) |
f.kater wrote: | Have you tried? Diffing two trees while one is via github, some weeks old, and the other current (supposedly ok) and from a tar archive? They differ a lot. So I came up reading out the Manifest entries. |
f.kater ... I haven't no, I'm not using the github repo. All I was attempting to point out is that the manifests won't be an accurate reflection of any changes made, because (most likely) they wern't regenerated subsequent to the tree being modifed. So, your check will pick up the differences in the tree but it will not be able to validate if those changes are the result of the modifications that were made by the hacker.
khayyam wrote: | [...] because most likely (I'd say 99.9999%) the manifests weren't regenerated (and so your check will reveal nothing). |
f.kater wrote: | I would like find out if I received and maybe even installed invalid packages. I assume that installing packages is prevented from when the hashes do not match. |
That would only happen if the manifests were regenerated (which again, doesn't seem to be the case), so had you attempted to merge such a package portage would fail on the manifest check.
f.kater wrote: | But you state Manifests are most likely not affected. |
Right, so such problems would have been caught by portage.
f.kater wrote: | If so, please elaborate a bit, especially on a hacked github mirror. If not what's the buzz at all? |
I think it's simply a matter of erring on the side of caution, we don't know exactly what was done (but no doubt soon will), from what we do know I don't expect anyone to have been exposed to the 'rm /*' that was inserted into (some/all?) ebuilds.
If you wanted to run some sort of check /var/db/pkg/*/*/*.ebuild can be compared with those ebuild's in the uneffected tree ... but that is probably unnecessary.
best ... khay |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Fri Jun 29, 2018 4:16 pm Post subject: |
|
|
khayyam wrote: | Code: | nlines=$(wc -l < "$file") |
best ... khay | Quick question... isn't the redirection also unnecessary? I'm just curious if I should using it explicitly. Code: | nlines=$(wc -l "$file") |
_________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 29, 2018 4:29 pm Post subject: |
|
|
pjp wrote: | khayyam wrote: | Code: | nlines=$(wc -l < "$file") |
|
Quick question... isn't the redirection also unnecessary? I'm just curious if I should using it explicitly. |
pjp ... if 'wc' is provided a file it outputs the filename (which we don't want), by using redirection 'wc' isn't provided a file, but a stream, and so no filename in the output.
Code: | % wc -l file
4 file
% wc -l < file
4 |
best ... khay |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Fri Jun 29, 2018 4:44 pm Post subject: |
|
|
Code: | sed -n '$=' FILENAME |
_________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 29, 2018 5:12 pm Post subject: |
|
|
Naib wrote: | Code: | sed -n '$=' FILENAME |
|
Naib ... at 42k I would expect 'wc' to be less resource consuming, but ok:
Code: | awk 'END{print NR}' file |
best ... khay |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Fri Jun 29, 2018 5:29 pm Post subject: |
|
|
khayyam wrote: | Naib wrote: | Code: | sed -n '$=' FILENAME |
|
Naib ... at 42k I would expect 'wc' to be less resource consuming, but ok:
Code: | awk 'END{print NR}' file |
best ... khay | but sed is faster _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Fri Jun 29, 2018 6:48 pm Post subject: |
|
|
khayyam wrote: | pjp ... if 'wc' is provided a file it outputs the filename (which we don't want), by using redirection 'wc' isn't provided a file, but a stream, and so no filename in the output. | Ah, right. It is grep that has the option to not output filenames. Thanks
I don't often use wc, and when I do, it usually isn't in scripts. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 29, 2018 7:07 pm Post subject: |
|
|
Naib wrote: | Code: | sed -n '$=' FILENAME |
|
khayyam wrote: | ... at 42k I would expect 'wc' to be less resource consuming, but ok:
Code: | awk 'END{print NR}' file |
|
Naib wrote: | but sed is faster ;) |
Naib ... unsuprisingly, as sed is (approximately) 125k and gawk is 601k, but that was the point, I doubt sed would outperform wc ... as its only purpose is to count chars/lines, and we can assume it's doing that optimally at 42k.
pjp wrote: | Ah, right. It is grep that has the option to not output filenames. Thanks |
You're welcome. You could do the same with grep also:
best ... khay |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10589 Location: Somewhere over Atlanta, Georgia
|
Posted: Fri Jun 29, 2018 7:37 pm Post subject: |
|
|
Oooohh: we're playing TIMTOWTDI! Then Perl should be even faster, right? Code: | $ ls -l `which perl`
-rwxr-xr-x 1 root root 10,376 Apr 9 16:37 /usr/bin/perl | and Code: | perl -n -e '$count++; END { print "$count\n"; }' file | Hee hee.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 29, 2018 8:39 pm Post subject: |
|
|
John R. Graham wrote: | Oooohh: we're playing TIMTOWTDI! Then Perl should be even faster, right? |
John ... sure, if you 'use gofasterstripe;' ;) ... but TIMTOWTDI!!!:
Code: | i=0 ; while read -r ; do ((i++)) ; done < file ; echo $i |
best ... khay |
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Sat Jun 30, 2018 3:09 am Post subject: |
|
|
At eleven PM local time I got hit by the gentoo github mirror hack:
emerge --sync
"Warning - external command not allowed here - 1.line of xx.ebuild: 'rm /*'"
First I thought my portage tree scripts do have some serious bug ...
When I read about the hack at www.gentoo.org
I was already tired in the middle of the night.
I didn't trust my Gentoo installation any more and booted my Debian.
But as I had two days before a keyboard cable cut, there was half of the keys scrumbled
with my old reserve pc104 keyboard. Although I could run my "checkall" bash script
to verify all of the md5sums on my Gentoo partition with /var/db/pkg/xxx/yyy/CONTENTs
(of course some edited files at /etc and some cache type files did not match)
Tired, shocked and in uncertainty
I had some bad dreams the short rest of the night:
A) my first horror setting was:
What if there is not just a teen hacker who does not know nothing about Gentoo,
but a far bigger setup: The hacking of the Github Gentoo repository just as an intro
to spread distrust and wrong advice on www.gentoo.org to make us all slaves.
B) Secondly I thought this first idea not is probably true, because it is just too
costly to setup such a bigger thing. What for?
But if - in some years - it not is costly at all:
When AI not only has all of the expert
knowledge of Gentoo systems but
also the expertise of pychology of us humans?
... we gonna be the slaves of the singularity machine ! |
|
Back to top |
|
|
The Main Man Veteran
Joined: 27 Nov 2014 Posts: 1166 Location: /run/user/1000
|
Posted: Sat Jun 30, 2018 7:19 am Post subject: |
|
|
ulenrich wrote: | At eleven PM local time I got hit by the gentoo github mirror hack:
|
gentoo github mirror hack ?
I thought that one was safe.
I don't get all this, can someone say if updating from Code: | https://github.com/gentoo-mirror/gentoo | is safe or not ? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sat Jun 30, 2018 10:37 am Post subject: |
|
|
ulenrich wrote: | At eleven PM local time I got hit by the gentoo github mirror hack: |
kajzer ... yes, it's safe, ulenrich has already been called once on that particular point in this thread ... but it doesn't seem to have sunk in.
best ... khay |
|
Back to top |
|
|
The Main Man Veteran
Joined: 27 Nov 2014 Posts: 1166 Location: /run/user/1000
|
Posted: Sat Jun 30, 2018 10:49 am Post subject: |
|
|
khayyam wrote: | kajzer ... yes, it's safe, ulenrich has already been called once on that particular point in this thread ... but it doesn't seem to have sunk in.
|
I see, thanks! |
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Sat Jun 30, 2018 11:52 am Post subject: |
|
|
khayyam wrote: | ulenrich wrote: | At eleven PM local time I got hit by the gentoo github mirror hack: |
kajzer ... yes, it's safe, ulenrich has already been called once on that particular point in this thread ... but it doesn't seem to have sunk in.
best ... khay |
I got hit by the https://github.com/gentoo/gentoo hack
and then experienced a strange git behavior using
https://github.com/gentoo-mirror/gentoo
before reading the news at www.gentoo.org
That strange behavior of https://github.com/gentoo-mirror/gentoo
was later that night and might have been a side effect. Everyone can read the signings
an evaluate it is not hacked. Sorry saying so, but I was a little shocked. |
|
Back to top |
|
|
dalu Guru
Joined: 20 Jan 2003 Posts: 530
|
Posted: Sat Jun 30, 2018 12:14 pm Post subject: |
|
|
Please provide CLEAR INSTRUCTIONS ON STEPS TO TAKE in order to ensure portage tree is valid.
What is a trusted source, for one?
And how can something like this happen?
I'm pissed off AF!
Who was so careless?
Why is this all handled like in a 3rd world country?
What kind of African bush security policy do you have here? Are you all amateurs or what is happening here?
I want to know who did it, what changes were made, when it happened, whos account was compromised and why, what access permissions did he have.
Why are you discussing bash vs Perl in this thread? That's completely irrelevant in this context.
You're acting as if it's business as usual and no big deal. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sat Jun 30, 2018 12:52 pm Post subject: |
|
|
dalu wrote: | Please provide CLEAR INSTRUCTIONS ON STEPS TO TAKE in order to ensure portage tree is valid. |
dalu ... ok, "don't use unsupported sync-uri".
dalu wrote: | What is a trusted source, for one? And how can something like this happen? I'm pissed off AF! |
What's unclear about the information provided in the main website?
dalu wrote: | Who was so careless? Why is this all handled like in a 3rd world country? What kind of African bush security policy do you have here? Are you all amateurs or what is happening here? |
Other than the first (which I don't think matters particularly), those are all leading questions, when did you stop beating your wife?
dalu wrote: | I want to know who did it, what changes were made, when it happened, whos account was compromised and why, what access permissions did he have. |
I'm sure some of that information will become available in time, but on what basis are you making such demands?
dalu wrote: | Why are you discussing bash vs Perl in this thread? That's completely irrelevant in this context. You're acting as if it's business as usual and no big deal. |
Well, it isn't a "big deal", and so why not TIMTOWTDI ... it's certainly more relevant than your chicken little: "the sky is falling!".
best ... khay |
|
Back to top |
|
|
tholin Apprentice
Joined: 04 Oct 2008 Posts: 203
|
Posted: Sat Jun 30, 2018 1:19 pm Post subject: |
|
|
dalu wrote: | And how can something like this happen?
| User ryao on reddit got an explanation. Ryao is tagged as "Gentoo ZFS maintainer".
https://old.reddit.com/r/Gentoo/comments/8une10/has_gentoo_github_repository_been_hacked/e1i2hn8/
"This particular admin was not an active GitHub user and failed to enable it (TFA) on github. His passwords for other sites leaked and there was a pattern in them that made it guessable from the leaked passwords.
Going forward, all Gentoo github organization members will be required to enable TFA. The developer affected is also changing passwords to make them fully random. Another developer who had a similarly weak password scheme is also changing his passwords."
Not sure how reliable that info if. Hopefully there will be an official explanation eventually. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21630
|
Posted: Sat Jun 30, 2018 2:42 pm Post subject: |
|
|
dalu wrote: | Who was so careless?
Why is this all handled like in a 3rd world country?
What kind of African bush security policy do you have here? Are you all amateurs or what is happening here? | How are you so certain that this is being handled poorly? First priority for a breach is to manage the technical consequences of the breach. Managing the public relations aspect is important, but secondary to ensuring that the problem is understood, contained, and that the damage is minimized.
What news sources are you reading for your information on this? Are you sure those are the right channels to get timely and accurate information? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Sat Jun 30, 2018 2:49 pm Post subject: |
|
|
Keep any eye on the Wiki.
Quote: | 23:40:xx Gentoo determines which account was the entry point. Gentoo Infra preemptively removes all access for that account from primary Gentoo properties (git repos, bugs, email, etc.) |
Notice too the The PII has been redacted. that won't change. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
|