Data breaches are always bad news, and this one is peculiarly bad.

Gentoo, a popular distribution of Linux, has had its GitHub repository hacked.

Hacked, as in “totally pwned”, taken over, and modified; so far, no one seems to be sure quite how or why.

That’s the bad news.

Fortunately (we like to find silver linings here at Naked Security):

The Gentoo team didn’t beat around the bush, and quickly published an unequivocal statement about the breach.

The Gentoo GitHub repository is only a secondary copy of the main Gentoo source code.

The main Gentoo repository is intact.

All changes in the main Gentoo repository are digitally signed and can therefore be verified.

As far as we know, the main Gentoo signing key is safe, so the digital signatures are reliable.

Like Drupal before it, the Gentoo team has started by assuming the worst, and figuring out how to make good from there.

That way, if things turn out to be better in practice than in theory, you’re better off, too.

Here’s what they said, less than an hour after they spotted the compromise:

[On] 28 June [2018] at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised. This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org. Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well. All Gentoo commits are signed, and you should verify the integrity of the signatures when using git. More updates will follow.

If you aren’t a Linux user, you might be thinking of letting out a sly snigger round about now – you’re probably tired of hearing from the small minority of ultrafans who not only love Linux but also can’t bear to hear anything negative about any part of the Linux ecosystem.

Please don’t gloat: this isn’t about Linux, or Windows, or macOS, or any other operating system’s attitude to cybersecurity.

This breach is a reminder of the difficulty of keeping everything secure in a cloud-centric world, where you have multiple people who need the keys to the castle, multiple repositories to deal with traffic, and an apparently ever-increasing number of attackers with an enormous range of motivations for breaking into and messing with your digital stuff.

(We don’t yet know the motivtion of the attackers in this case – a grudge against Linux? a grudge against Gentoo? a grudge against Microsoft for acquiring GitHub? an attempt to spread malware? – but the reasons aren’t immediately important.)

What to do?

Gentoo is a “build it yourself” sort of Linux distribution, where instead of downloading a set of ready-to-run files as you would with, say, Ubuntu – or macOS, or Windows, for that matter – you download the source code and compile it yourself.

The good news, of course, is that if you built it once, you can build it again – so if you fetched anything from the GitHub-hosted version of Gentoo during the danger period, get rid of it and fetch it again, using the master repository instead.

At worst, you may need or want to rebuild from scratch, bootstrapping your system from the master repository so that you’ve got a fresh start.

Then, keep your eye out for Gentoo’s official updates on what the crooks changed, and how that might have affected you during the thankfully very short window that this breach went unnoticed.

By the way, you can learn from Gentoo, even though it’s in a bit of a crisis right now:

Divide and conquer. The master repository is safe, so the crooks didn’t get the crown jewels.

The master repository is safe, so the crooks didn’t get the crown jewels. Sign everything. Give your users a way to spot imposter files.

Give your users a way to spot imposter files. Tell the plain truth. Say what you know, and be clear what you don’t.

Say what you know, and be clear what you don’t. Respond quickly. Don’t find excuses to keep your users in the dark.

Happy recompiling 🙂



