A key Gentoo Linux source code repository should be considered compromised after “unknown individuals” gained access to Gentoo’s Github organisation.
In an email to the Gentoo announcement list, developer Alec Warner said that the individuals had seized control of the GitHub Gentoo organisation “and modified the content of repositories as well as pages there”.
“We are still working to determine the exact extent and to regain control of the organization and its repositories,” Warner said.
“All Gentoo code hosted on github should for the moment be considered compromised. This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.”
The gentoo-mirror repositories including metadata “are hosted under a separate Github organization and likely not affected as well,” a statement posted on the Gentoo Linux website said.
“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git.”