Hackers compromised Gentoo Linux repositories on GitHub

On June 28, 2018 , at approximately 20:20 UTC , unidentified subjects gained control of Gentoo's administrative accounts on Github and made code modifications in the repositories and on the manual pages. This information is circulated in the official newsletter of the project by Alec Warner. Currently, the development team is working to investigate events and eliminate violations.

All mirrors of the Gentoo project on Github should be considered compromised. If you downloaded something from these resources after the date of hacking, you are at risk. The very infrastructure of the project Gentoo, according to available information, is not affected.

Alec Warner notes that usually all legitimate commits to the Gentoo code are digitally signed, so they can be verified using git utilities. GitHub is not the primary development site for Gentoo Linux, and all code and commits are simply mirrored from repositories on Gentoo’s private infrastructure servers.

User dartraiden clarifies:

Only a mirror on GitHub has been cracked ...
This mirror is mainly for receiving pull requests, it is not intended for users to pull updates from it, there is neither Metadata with checksums or ebuilds.

For users who want to be updated from GitHub, there is a separate mirror, it is also not affected .