On Sat, Jun 30, 2018 at 9:54 AM Francisco Blas Izquierdo Riera (klondike) <klond...@gentoo.org> wrote: > > El 29/06/18 a las 18:33, Peter Humphrey escribió: > > On Thursday, 28 June 2018 22:15:36 BST Francisco Blas Izquierdo Riera > > (klondike) wrote: > >> Hi! > >> > >> I just want to notify that an attacker has taken control of the Gentoo > >> organization in Github and has among other things replaced the portage > >> and musl-dev trees with malicious versions of the ebuilds intended to > >> try removing all of your files. > >> > >> Whilst the malicious code shouldn't work as is and GitHub has now > >> removed the organization, please don't use any ebuild from the GitHub > >> mirror ontained before 28/06/2018, 18:00 GMT until new warning. > > Does this mean that we're safe to use anything from after your warning? > > > It means you are safe to use anything from official Gentoo sources other > than GitHub. As of now even GitHub should be okay as there was a force > push to restore the repositories. >
If you are using git syncing I believe that portage will verify that the top commit (which is the only one that really matters) is using a trusted key if you put the following line in repos.conf for the repository: sync-git-verify-commit-signature = true Obviously this only works with repositories signed by one of the Gentoo keys. I couldn't find documentation on this option. Is there an option like this that lets you provide your own list of trusted keys, such as for a mirror? It looks like portage is just looking at a .asc with a bunch of keys in it and checking that one of them signed the top commit. Presumably you could provide your own .asc of trusted keys and use that for other repos that are signed. Assuming this works (I didn't actually test it with a bad top commit), it would have prevented this particular attack, or any other that didn't compromise the Gentoo keys. -- Rich
