[sf-lug] Malware hidden in Linux packages First Gentoo more lately Arch.

[Rick Moen]

I thought I should also respond to the 'first Gentoo' part of
the Subject header.  (Note:  I neither a Gentoo person nor an Arch Linux
one, though I respect both projects highly.)


As it turns out, it is _also_ absolutely not true to claim that Gentoo
Linux packages got 'malware'.  But details of the June 28th incident
may be of interest.

Gentoo Linux maintains, as a _side_ (external, downstream) code repository, 
an 'organization' (basically a customer set of group-account features)
on the third-party commercial hosting service GitHub -- which should not
be confused with Gentoo's own infrastructure.  Reportedly, someone's
login password got stolen.

Some pretty good commentary by a Gentoo person, excerpted from
https://blog.sumptuouscapital.com/2018/06/my-comments-on-the-gentoo-github-hack/

  Gentoo has mainly had a presence on GitHub in order to facilitate pull
  requests from external contributors and proxied maintainers, actually,
  using GitHub for anything critical goes against the Gentoo Social
  Contract. [link]

  The primary method of synchronizing the Gentoo Ebuild Repository is
  using rsync, and github was never part of the mirroring infrastructure
  for rsync.  Furthermore; for Portage users, gemato is used to verify the
  MetaManifests and in turn the ebuilds using OpenPGP (aka GPG aka PGP)
  signatures by default.

  So to make it absolutely clear; mirror in the case of GitHub compromise
  doesn't mean it automatically results in the ebuilds being distributed
  to the users using regular update mechanisms.

On a different mailing list (GoLUG's), I observed:

FWIW, looks like the compromise lasted only 1 hour and 9 minutes, before
Gentoo responded by getting access to the GitHub mirror's contents
'frozen' (curtailed).  
https://wiki.gentoo.org/wiki/Github/2018-06-28

On that mailing list, a friend observed:

  Still, one more evidence against outsourcing tech easily done yourself
  to an outsider.

And I replied:

If nothing else, there was a lag caused by the need to motivate GitHub
staff to take action:

20:49:xx First abuse report to GitHub support
20:51:xx Infra's informal contact to GitHub via multiple personal channels
20:53:xx Second abuse report to GitHub
21:00:xx (approx) GitHub informal report that they are starting to look
21:05:xx Infra's formal ticket to Github Support
21:28:xx Github support responds; Gentoo Github org frozen.

In-house, it would have been just ssh'ing in and (probably) a single
shell command.  Boom.



Anyway, tl;dr version:

1.  No, Gentoo's own software infrastructure _wasn't_ affected, just an
    outside commercially hosted facility where the customer-admin login 
    was briefly taken over because of stolen password, and brief mischief
    done.
2.  Gentoo itself was totally unaffected.
3.  Shutting down the third-party compromise took an hour because
    outsourcing creates that (high) risk of delayed response, among others.