[conspire] (forw) [linux-elitists] PJ takes her victory lap

Rick Moen rick at linuxmafia.com
Wed Aug 31 18:55:50 PDT 2011


I've appended a paragraph about this to the first essay on
http://linuxmafia.com/~rick/faq/index.php?page=virus , following 
five paragraphs about earlier site-compromises of other 'upstream'
developer sites that likewise didn't matter much because _signed_ 
contents couldn't be touched (or was instantly detectable as fraudulent
if it were touched):

  In early August, 2011, Linux kernel server hera.kernel.org and several
  related machines were root-compromised via (probably) stolen user
  credentials, which access was then escalated to root-user access in some
  fashion still being studied at this writing on the day the compromise
  was discovered (Aug. 31, 2011). The kernel source tree was not, and
  could not be, compromised, because it's stored entirely in
  sha1-cryptographically-vetted 'git' trees. In theory, someone in control
  of those machines could have replaced downloadable kernel tarballs
  (compressed archives) with trojaned versions (this is being checked),
  but there would have been little point as then they would not validate
  against the gpg signing key.

I've also just inquired on LWN.net about the two vague points:

  I'm curious about two points not (to my knowledge) yet covered,
  probably for the simple reason that there hasn't been enough time for
  proper forensics:

  1. What was the escalation path to root?

  2. Completely aside from the git repo contents, were the downloadable
  *.tar.[gz|bz2] source archives trojaned? Are there any non-site-local
  mechanisms in place to detect such tampering (other than, of course, the
  fact that the Linux Kernel Archives OpenPGP key is well known, and some
  of us bother to check the *.tar.[gz|bz2].sign files?






More information about the conspire mailing list