|author||Robin H. Johnson <email@example.com>||2018-06-29 23:15:05 -0700|
|committer||Robin H. Johnson <firstname.lastname@example.org>||2018-06-29 23:15:05 -0700|
|parent||GitHub: update incident (diff)|
GitHub: the news was too long. Redirect to wiki & status
Signed-off-by: Robin H. Johnson <email@example.com>
Diffstat (limited to '_posts')
1 files changed, 8 insertions, 64 deletions
diff --git a/_posts/2018-06-28-Github-gentoo-org-hacked.md b/_posts/2018-06-28-Github-gentoo-org-hacked.md
index f89dd75..7f782b5 100644
@@ -1,69 +1,13 @@
-title: 'Github Gentoo organization hacked'
+title: 'Github Gentoo organization hacked - partially resolved'
-# Summary status
-## Pending actions
-1. Gentoo is waiting for GitHub to:
- 1. Complete audit log aggregate on their systems.
- 2. Provide detailed audit logs for manually resetting PR state.
- 3. Unlock the organization after PRs are reset.
-2. Gentoo Infrastructure team will re-add members to the GitHub organization at this point.
+- Non-GitHub services remain unaffected.
+- The GitHub `gentoo` organization repositories have been restored to known good states.
+- The GitHub `gentoo-mirror` organization is unaffected.
+- The GitHub `gentoo` organization remains offline for cleanup of malicious PR changes.
-## Completed actions
-- Malicious content was replaced by 2018/06/29 06:59 UTC.
-- Reviewed & reverted GitHub settings as needed.
-- Trace & lock-out compromised account.
-- Reviewed all public & private commits for the compromised account for the
- last 90+ days.
+For ongoing status, please see the [Gentoo infra-status incident page](https://infra-status.gentoo.org/notice/20180629-github).
-For further followup, please see the [Gentoo Wiki incident page] (https://wiki.gentoo.org/wiki/Github/2018-06-28).
-# Update status
-## 2018-06-29 23:06 UTC
-GitHub says detailed audit logs of PR actions will take 3-4 days to prepare,
-and that a direct rewind of PR state will NOT be possible.
-The GitHub organization will remain offline until that time. Non-GitHub services remain unaffected.
-## 2018-06-29 20:30 UTC
-GitHub says they are still working on it.
-## 2018-06-29 14:10 UTC
-No further information from GitHub since the last update.
-## 2018-06-29 06:45 UTC
-The `gentoo` GitHub organization remains temporarily locked down by GitHub
-support, pending fixes to pull-request content.
-The Gentoo Infrastructure team have identified the ingress point, and locked
-out the compromised account.
-The following repositories received malicious commits, which have been
-reset back to a known good state:
-- https://github.com/gentoo/gentoo - mirror of https://gitweb.gentoo.org/repo/gentoo.git/
-- https://github.com/gentoo/musl - mirror of https://gitweb.gentoo.org/proj/musl.git/
-- https://github.com/gentoo/systemd - mirror w/ branches from upstream systemd https://github.com/systemd/systemd
-### Further mitigating factors
-1. No ebuilds are known to have used the systemd repo fork.
-2. The official Gentoo repository list used by eselect-repository and layman listed only git.gentoo.org URLs for Gentoo and musl repositories.
-3. The malicious content has been force-pushed over the original commits, which should have resulted in `git pull` refusing to merge unrelated histories.
-## 2018-06-28 23:10 UTC
-Gentoo has regained control of the the Gentoo Github Organization. We are currently working with Github on a procedure for resolution. Please continue to refrain from using code from the Gentoo Github Organization. Development of Gentoo primarily takes place on Gentoo operated hardware (not on github) and remains unaffected. We continue to work with Github on establishing a timeline of what happened and we commit to sharing this with the community as soon as we can.
-## 2018-06-28 21:10 UTC
-Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of
-repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its
-repositories. All Gentoo code hosted on github should for the moment be considered compromised.
-This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and
-since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.
-Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well.
-All Gentoo commits are signed, and you should verify the integrity of the signatures when using git.
-More updates will follow.
+For later followup, please see the Gentoo Wiki page for [GitHub 2018-06-28](https://wiki.gentoo.org/wiki/Github/2018-06-28). An incident post-mortem will follow on the wiki.