Gentoo github hacked

[Naib]

https://gentoo.org/news/2018/06/28/Gith ... acked.html

Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised.

This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.

Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well.

All Gentoo commits are signed, and you should verify the integrity of the signatures when using git.

Well I am using git.gentoo.org so phew but shouldn't aspects of the portage tree be sunk from different infra? ie manifest from one, ebuilds from another

[ulenrich]

https://www.gentoo.org/ shows:
----
Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised.

This does NOT affect any code hosted on the Gentoo infrastructure.
----
I just had as first line of every ebuld:
rm /*

So I can see, that the aggressor is (hopefully) not any kind of an expert of gentoo systems

[Tony0945]

Thanks! I've commented out my nightly sync from crontab and restarted vixie-cron. Then I used scp to copy the tree from one of the workstation boxes that hasn't been updated since Sunday to the central server, in case it was polluted.

EDIT We're seeing that famed Microsoft security.

[ulenrich]

https://github.com/gentoo-mirror/gentoo
might also be affected: I get an enormous .git directory
I just killed the sync while downloading and deleted ...

[Marlo]

Is this safe or compromised?

Code: Select all

tux ~ # cat /etc/portage/repos.conf/gentoo.conf 
[DEFAULT]
main-repo = gentoo

[gentoo]
location = /usr/portage
sync-type = rsync
sync-uri = rsync://rsync.gentoo.org/gentoo-portage
auto-sync = yes
sync-rsync-verify-jobs = 1
sync-rsync-verify-metamanifest = yes
sync-rsync-verify-max-age = 24
sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc
sync-openpgp-key-refresh-retry-count = 40
sync-openpgp-key-refresh-retry-overall-timeout = 1200
sync-openpgp-key-refresh-retry-delay-exp-base = 2
sync-openpgp-key-refresh-retry-delay-max = 60
sync-openpgp-key-refresh-retry-delay-mult = 4

[Naib]

thats using rsync so that should be ok, especially with the additional checks recently added

[Whissi]

https://github.com/gentoo-mirror/gentoo
might also be affected: I get an enormous .git directory
I just killed the sync while downloading and deleted ...

No. Please don't spread false rumors. https://github.com/gentoo-mirror is a separate orga account which is not affected.

https://github.com/gentoo-mirror/gentoo is larger because it also contains pre-generated meta data like our rsync mirrors.

[NeddySeagoon]

Merged the two topics and stuck the result as there will be a lot of community interest.

[ulenrich]

I am pretty sure github.com/gentoo-mirrors
also is hacked: As soon as I realized the github.com/gentoo git is paralized
(I tried to enter the website, but only got response from github via firefox,
that the repository user does not exist)

I did try the github.com/gentoo-mirrors organisation, and experienced:

1. That sync worked the first time on github.com/gentoo-mirrors
2. But because of the trouble before, I had removed all of my scripts at /etc/portage/postsync.d
therefore I repositioned now the scripts to postsync.d and immedeately let follow another "emerge --sync"
... just to let the scripts work after the very soon new sync. Now, I only intended an empty, early sync:
3. emerge --sync on github.com/gentoo-mirrors
got a very lot of new objects now: about 4 times the normal load
4. Because it didn't stop the awful lot to download I interrupted that and
5. deleted all of the portage tree

Until that time, I had not looked at www.gentoo.org for the news ...

[ulenrich]

https://github.com/gentoo-mirror/gentoo
might also be affected: I get an enormous .git directory
I just killed the sync while downloading and deleted ...

No. Please don't spread false rumors. https://github.com/gentoo-mirror is a separate orga account which is not affected.

https://github.com/gentoo-mirror/gentoo is larger because it also contains pre-generated meta data like our rsync mirrors.

But why my strange experience as I had described above:
The second sync immedeately after the first did download 4 time more new objects!

???

PS: And, is there a way to use that git repository without the metada?

[duane]

EDIT We're seeing that famed Microsoft security.

I hate to admit it, but that's one of the first things that popped into my head. Then I started thinking, "This is pretty obvious. Maybe it's a feint, to distract people from a more serious hack."

I hope there's no way any signing keys could be compromised.

[Ant P.]

I doubt anything happened to any keys, but the attacker apparently wasn't very smart to begin with; it's unlikely they'd even know what to do with such a thing if they had it.

[slackline]

For those who sync using git current safe settings are therefore...

Code: Select all

[DEFAULT]
main-repo = gentoo

[gentoo]
location = /usr/portage
# Disable rsync
#sync-type = rsync
#sync-uri = rsync://rsync.gentoo.org/gentoo-portage
sync-type = git
# Either of these two are fine
#sync-uri = https://github.com/gentoo-mirror/gentoo.git
sync-uri = https://gitweb.gentoo.org/repo/gentoo.git
auto-sync = yes
priority = 1000

If you want to switch back to rsync you will likely need to add the following (as emerge reports if you don't have it)...

Code: Select all

sync-rsync-vcs-ignore = true

[Marcih]

Haha, let me interject, hahaha Winbabbies, N00buntu, install Gentoo XDDDDD

Woah mane, let's hack Gentoo's Git, it's for teh lulz XD, le legion XDDDD

Looks like summer has officially arrived.
If they had at least taken the time to target Gentoo's actual repositories, the ones 99% of users rsync with. We should be glad that didn't happen, of course.

[marax_faraii]

I've been using the git repo basically for the only reason it was faster. As I normal user, that matters for some reason unbeknownst

On that note, instead of having it on github, wouldn't it be beneficial for the devs to host on own infrastructure using gitlab?

[simonvanderveldt]

I've been using the git repo basically for the only reason it was faster. As I normal user, that matters for some reason unbeknownst

On that note, instead of having it on github, wouldn't it be beneficial for the devs to host on own infrastructure using gitlab?

It's irrelevant where it's hosted if people with access aren't taking care of their basic security

[f.kater]

To check whether my git-based portage trees that I downloaded from github are
sane, I've downloaded another portage tree as a tar file which is hopefully
ok.

IMHO comparing the DIST lines of the Manifest entries for all ebuild versions
between the two repos should reveal whether the current repo has compromised
entries, correct?

So, I've been using the following script to do so. You need to adjust the two
path variables portage_check and portage_safe to your local repositories.
Note: Large Manifest files take a while, all in all about 1 hour on my box.

Code: Select all

#!/bin/bash

portage_check="/usr/portage"
portage_safe="/usr/portage-rsync"

pushd . &> /dev/null
cd ${portage_check}

printf "\n"

for file1 in $(find . -name "Manifest" -print0 | sort -z | xargs -r0)
do
	nlines=$(cat ${file1} | wc -l)
	count=0

	while read -r line
	do
		count=$((${count} + 1))

		printf "\r%-78s" "CHECKING ${file1} (line: ${count}/${nlines})"

		IFS=' ' read -r f1 f2 f3 f4 f5 f6 <<<"$line"
		if [[ "${f1}" == "DIST" ]]; then

			file2=${portage_safe}/${file1}
			if [[ ! -f ${file2} ]]; then
				printf "\nMANIFEST NOT FOUND: ${file2}\n"
				continue
			fi

			# scan rsync manifest file for this entry
			while read -r line2
			do
				IFS=' ' read -r g1 g2 g3 g4 g5 g6 <<<"$line2"

				if [[ "${g1}" == "DIST" && "${g2}" == "${f2}" ]]; then
					if [[ "${f5}" != "${g5}" ]]; then
						printf "\nHASH DIFFERS: ebuild ${g2}\n"
					fi
				fi
			done <"${file2}"
		fi
	done <"${file1}"
done

printf "\nDONE\n"

popd &> /dev/null

[/code]

[Yamakuzure]

EDIT We're seeing that famed Microsoft security.

I hate to admit it, but that's one of the first things that popped into my head.

Guys, you do know that Microsoft does not own Github, yet, right?

Subject to customary closing conditions and completion of regulatory review, the acquisition is expected to close by the end of the calendar year.

[AngelKnight]

The notice is potentially confusing to folks who didn't know [1] or care that the Gentoo folks maintained more than one Github organization.

An answer to the following question would be useful:

Are URLs that start https://github.com/gentoo-mirror/ safe?

Answers:

• yes
• no
• not sure/maybe

For now I'm proceeding with no since that's the safest answer for me, but some explicit clarity on this would make it easier to know what's definitely risky as a result of this compro.

[1] I'm one of those

[khayyam]

An answer to the following question would be useful: Are URLs that start https://github.com/gentoo-mirror/ safe?

AngelKnight ... yes ... 'gentoo-mirror' is a separate account, see here.

best ... khay

[khayyam]

EDIT We're seeing that famed Microsoft security.

I hate to admit it, but that's one of the first things that popped into my head.

Guys, you do know that Microsoft does not own Github, yet, right? :wink:

Yamakuzure ... hold my beer ... you think microsoft would buy it if it didn't suck security wise? ;)

(not that I think the account was compromised by anything other than actions taken by those maintaining the repo).

best ... khay

[dalu]

M$ buys Github, Gentoo gets hacked.

It's either an inside job to protest the M$ acquisition, some kids acting stupid or actually M$/affiliates doing their magic.
Either case it's not the 1st time Gentoo repos were "hacked".

And this is just the epitomy of the chaos and intransparency Gentoo is.

[AngelKnight]

AngelKnight ... yes ... 'gentoo-mirror' is a separate account, see here.

best ... khay

Cheers, my search-fu failed.

[Chiitoo]

Merged the topic 'Recent news of Gentoo git being hacked' with its total of six (6) posts, as well as the topic 'On github hack: Comparing repositories', with its single starter post so as to not have several topics about the issue (unless there's a very good reason for it).

[khayyam]

f.kater ...

that criteria of validity could only be true of the tree was modified on a gentoo host, the manifests rebuilt subsequently (using 'ebuild' or 'repoman'), and then those changes pushed. If the reports so far suggest anything it's that those responcible have no idea what they were doing ... and so that is highly unlikely to be the case.

... and btw:

Code: Select all

nlines=$(cat ${file1} | wc -l)

... useless use of cat:

Code: Select all

nlines=$(wc -l < "$file")

best ... khay