Github Gentoo Organization Hacked

[DooKey]

The Github Gentoo organization has been hacked and some of the code repositories received malicious commits to the code. The good news is the repositories that were hit have been reset back to a known good state. Also, they've locked out the compromised account and are re-adding all members to the organization. Further, If you grabbed some Gentoo code late last night you should scrub it from your computer.


The Gentoo GitHub organization remains temporarily locked down by GitHub support, pending fixes to pull-request content.

The Gentoo Infrastructure team have identified the ingress point, and locked out the compromised account.

 

[purple_monster]

and the gentoo organization, who all use macs, were devastated at the betrayal

 

[naib]

yup spotted the new items the moment it went up. I don't sync against github but against gentoo directly

cat /etc/portage/repos.conf/gentoo.conf

[DEFAULT]
main-repo = gentoo

[gentoo]
location = /usr/portage
#sync-depth = 1
sync-type = git 
#sync-uri = https://github.com/gentoo-mirror/gentoo.git 
sync-uri = https://git.gentoo.org/repo/gentoo.git
auto-sync = yes

the github is there only to provide mass mirroring and a point for users todo pull request (if they don't want to use bugzilla). Still not good. Some dev had a weak password or their got pwnt elsewhere... thing is the induvidual who got in didn't know what they were doing silly edits

 

[Zarathustra[H]]

I used to love Gentoo. Used it as my primary OS from like 2002 - 2008 (I think, memory is hazy) back when you had to bootstrap the entire system and compile from scratch manually during install.

The custom compiler optimizations really appealed to me at the time, but over time I've come to learn that they actually made little to no difference in real system performance.

Over time I moved away from it. I found the stable branch in portage to constantly not have adequate support for my hardware, and the unstable branch to - well - be very unstable. I would constantly get regressions and have to troubleshoot for hours to get everything working again.

I then switched to Ubuntu. It felt like it was dumbed down and I was moving backwards, but it really did "just work" by comparison.

When Ubuntu made Unity the default desktop interface, I hated it and went to Mint. Been here ever since. I like apt, it's a good package manager and I like Cinnamon. It's a good desktop.

I still value my Gentoo days though. The manual boot strap install process and constant troubleshooting gave me a real comfort with working in the Linux command line I otherwise likely would never have had.

 

[JosiahBradley]

I used to love Gentoo. Used it as my primary OS from like 2002 - 2008 (I think, memory is hazy) back when you had to bootstrap the entire system and compile from scratch manually during install.

The custom compiler optimizations really appealed to me at the time, but over time I've come to learn that they actually made little to no difference in real system performance.

Over time I moved away from it. I found the stsble branch in portage to constantly not have adequate support for my hardware, and the unstable branch to - well - be very unstable. I would constantly get regressions and have to troubleshoot for hours to get everything working again.

I then switched to Ubuntu. It felt like it was dumbed down and I was moving backwards, but it really did "just work" by comparison.

When Ubuntu made Unity the default desktop interface, I hated it and went to Mint. Been here ever since. I like apt, it's a good package manager and I like Cinnamon. It's a good desktop.

I still value my Gentoo days though. The manual boot strap install process and constant troubleshooting gave me a real comfort with working in the Linux command line I otherwise likely would never have had.

I've been using Sabayon for the past 8 years or so as my main workstation, its a binary version of Gentoo with all the fun of portage and a fresh package manager called Rigo. The best thing about it is that it is very up to date. Currently got a Ryzen 2400G running on it with hardware acceleration. Did require a custom kernel but that's easier on Gentoo based systems I find.

 

[gamerk2]

This sounds more like a test to me; this seems to obvious to be anything else.

 

[drescherjm]

I am still (since 2003) using Gentoo at home and work.

 

[Todd Walter]

I am still using Gentoo at home and work.

I do as well, and for embedded work on ARM. Now that GCC 8 is in portage I'm going to give it a whirl this weekend.

 

[spintroniX]

I've never used Gentoo. My foray into Linux started about a year ago, with Ubuntu. I've used Mint and plain Debian for a couple weeks.

Hope this gets sorted ASAP

 

[drescherjm]

I am not using git for portage yet on any system.

 

[iNViSiGOD]

Sticking with Arch Linux, it just works. Though Gentoo did look fun too mess around with.

 

[naib]

I've never used Gentoo. My foray into Linux started about a year ago, with Ubuntu. I've used Mint and plain Debian for a couple weeks.

Hope this gets sorted ASAP

its already sorted. It was sorted very, very quickly.

NOTE: this only potentially impacted those using git (as oppose to rsync or bundle) from github

 

[Mode13]

Now I have to shave my gentoo user beard just incase.

 

[Todd Walter]

Now I have to shave my gentoo user beard just incase.

USE="-beard" emerge face

 

[velusip]

No biggie. Just a quick reinstall. (lol)

 

[BloodyIron]

My first Linux install was Gentoo. Talk about trial by fire, but I sure learned a lot!

Currently my go to is Ubuntu, but I did quite like how Gentoo did its thing. It's been a long time, so my info may be old, but I appreciate the way it gives you very granular control but also helps you streamline so much of the process. I think it struck a good balance.

 

[Exavior]

I used to love Gentoo. Used it as my primary OS from like 2002 - 2008 (I think, memory is hazy) back when you had to bootstrap the entire system and compile from scratch manually during install.

The custom compiler optimizations really appealed to me at the time, but over time I've come to learn that they actually made little to no difference in real system performance.

Over time I moved away from it. I found the stable branch in portage to constantly not have adequate support for my hardware, and the unstable branch to - well - be very unstable. I would constantly get regressions and have to troubleshoot for hours to get everything working again.

I then switched to Ubuntu. It felt like it was dumbed down and I was moving backwards, but it really did "just work" by comparison.

When Ubuntu made Unity the default desktop interface, I hated it and went to Mint. Been here ever since. I like apt, it's a good package manager and I like Cinnamon. It's a good desktop.

I still value my Gentoo days though. The manual boot strap install process and constant troubleshooting gave me a real comfort with working in the Linux command line I otherwise likely would never have had.

Yup, had a few computer I tried to run it on took me 2 - 3 days for the compiler to get done installing everything. I was more than happy to jump to something that just worked.

 

[Exavior]

No biggie. Just a quick reinstall. (lol)

see you in about 5 - 50 hours

 

[Todd Walter]

Compared to 2001 it's greased lightening.

 

[drescherjm]

It's not bad if you start with an appropriate stage3 and have CPU with 8+ cores like the Ryzen 2700 I installed it on a few weeks back.

Back in 200Xs I mostly just installed once and cloned full installs to other machines. That was as long as I did not have to change CPU vendors ( and / or 32 / 64 bit).

 

[Todd Walter]

It's not bad if you start with an appropriate stage3 and have CPU with 8+ cores like the Ryzen 2700 I installed it on a few weeks back.

Back in 200Xs I mostly just installed once and cloned full installs to other machines. That was as long as I did not have to change CPU vendors ( and / or 32 / 64 bit).

distcc and my own binhost ftw! I can't wait to see how fast an entire OS can compile on a new Threadripper. It'll probably be the minimum required to compile FF61!

 

[Zarathustra[H]]

No biggie. Just a quick reinstall. (lol)

see you in about 5 - 50 hours

Back in the early days when you had to bootstrap and compile to install, certainly.

I think they ave a binary install these days though. If you want everything custom compiled you can always set your vars and re-emerge the entire tree after install though.

That said, I get the impression even if you had to compile from scratch, this would be much less of a big deal these days with our fancy fast CPU's, compared to when I started running Gentoo on a 1200Mhz single core Athlon.

 

[drescherjm]

distcc and my own binhost ftw!

Ahh the memories. Had that as well..

 

[Todd Walter]

Back in the early days when you had to bootstrap and compile to install, certainly.

I think they ave a binary install these days though. If you want everything custom compiled you can always set your vars and re-emerge the entire tree after install though.

That said, I get the impression even if you had to compile from scratch, this would be much less of a big deal these days with our fancy fast CPU's, compared to when I started running Gentoo on a 1200Mhz single core Athlon.

That was the same processor I started my Gentoo journey on. I had had enough of RPM hell on Mandrake and went looking for a way to build from source without it being from scratch. I promptly upgraded to a dual-core Athlon because of it!

 

[DeeFrag]

Ahh yes Gentoo. It's like owning a classic british sportscar and becoming a master mechanic just to keep things running.

 

[Todd Walter]

Ahh yes Gentoo. It's like owning a classic british sportscar and becoming a master mechanic just to keep things running.

Yup. There's no better education than having to dogfood it.

 

[drescherjm]

Ahh yes Gentoo. It's like owning a classic british sportscar and becoming a master mechanic just to keep things running.

That was one of the reasons why I started Gentoo in the first place.. I really like to understand what is going on under the hood. Gentoo ( at least back 15 or so years ago) forced you to get under the hood.

That and What Todd mentioned earlier. RPM hell. Been there / done that..

 

[Exavior]

Back in the early days when you had to bootstrap and compile to install, certainly.

I think they ave a binary install these days though. If you want everything custom compiled you can always set your vars and re-emerge the entire tree after install though.

That said, I get the impression even if you had to compile from scratch, this would be much less of a big deal these days with our fancy fast CPU's, compared to when I started running Gentoo on a 1200Mhz single core Athlon.

I am sure, it has been many years since I last ran it. Want to say I was trying to install it on a P3 550mhz with 64MB or 128MB ram or something like that back around 2005.

 

[Zarathustra[H]]

That was the same processor I started my Gentoo journey on. I had had enough of RPM hell on Mandrake and went looking for a way to build from source without it being from scratch. I promptly upgraded to a dual-core Athlon because of it!

Ugh, yes.

Back in the day RPM really sucked.

(In fact, maybe it still does, I haven't used it since Red Hat 7.3 Valhalla)

Portage was much better than RPM, but I think I prefer Apt these days. To the point where I probably wouldn't bother with any distribution that didn't use Apt

 

[Exavior]

Ugh, yes.

Back in the day RPM really sucked.

(In fact, maybe it still does, I haven't used it since Red Hat 7.3 Valhalla)

Portage was much better than RPM, but I think I prefer Apt these days. To the point where I probably wouldn't bother with any distribution that didn't use Apt

Redhat (and Centos) don't really require you to use RPM directly anymore. I can only think of 3 or 4 things that required me to download an RPM in the last 4 years. It now uses yum, which is about the same as apt. I am sure there is some difference somewhere and somebody will bitch that I said they are the same. However you just do yum update, yum install apache, just like you do with apt to update and get your patches and software by downloading and installing the RPMs for you. Been so long since I have even touched Gentoo don't recall how Portage was different.

 

[velusip]

Back in the early days when you had to bootstrap and compile to install, certainly.

I think they ave a binary install these days though. If you want everything custom compiled you can always set your vars and re-emerge the entire tree after install though.

That said, I get the impression even if you had to compile from scratch, this would be much less of a big deal these days with our fancy fast CPU's, compared to when I started running Gentoo on a 1200Mhz single core Athlon.

Yeah, portage handles binary packages too. Generally people save any custom packages, but grab a community binary suited to their hardware from a build server.

Compiling is certainly a hell of a lot faster these days, but many popular libraries are a hell of a lot bigger too. And take extra care when compiling a custom kernel these days and remove absolutely every unneeded module you can.