[conspire] (forw) [linux-elitists] PJ takes her victory lap
rick at linuxmafia.com
Wed Aug 31 18:55:50 PDT 2011
I've appended a paragraph about this to the first essay on
http://linuxmafia.com/~rick/faq/index.php?page=virus , following
five paragraphs about earlier site-compromises of other 'upstream'
developer sites that likewise didn't matter much because _signed_
contents couldn't be touched (or was instantly detectable as fraudulent
if it were touched):
In early August, 2011, Linux kernel server hera.kernel.org and several
related machines were root-compromised via (probably) stolen user
credentials, which access was then escalated to root-user access in some
fashion still being studied at this writing on the day the compromise
was discovered (Aug. 31, 2011). The kernel source tree was not, and
could not be, compromised, because it's stored entirely in
sha1-cryptographically-vetted 'git' trees. In theory, someone in control
of those machines could have replaced downloadable kernel tarballs
(compressed archives) with trojaned versions (this is being checked),
but there would have been little point as then they would not validate
against the gpg signing key.
I've also just inquired on LWN.net about the two vague points:
I'm curious about two points not (to my knowledge) yet covered,
probably for the simple reason that there hasn't been enough time for
1. What was the escalation path to root?
2. Completely aside from the git repo contents, were the downloadable
*.tar.[gz|bz2] source archives trojaned? Are there any non-site-local
mechanisms in place to detect such tampering (other than, of course, the
fact that the Linux Kernel Archives OpenPGP key is well known, and some
of us bother to check the *.tar.[gz|bz2].sign files?
More information about the conspire