[ale] Security breach on kernel.org

JD jdp at algoloma.com
Thu Sep 1 11:46:09 EDT 2011


Git is an amazing tool with sha1 signatures for stored objects and using
a DVCS means that pretty much anyone anywhere in the world can compare
all the code changes between any dates they like.  Every kernel
developer would need to have been cracked for me to worry.

Having the "public" ssh-keys isn't all that worrisome to me either. Am I
missing something important?  The way that Git works is you push your
public ssh-key to the remote server and use that for remote commands to
the repository.  That key cannot connect back to your system. It only
works through git or ssh commands initiated by the user. Can it be used
to hop systems? I don't think so, not without the private key.  Sure,
someone could swap out the git and ssh programs with Trojans. We'll know
more about that soon enough.

I'm not worried at all about the kernel sources.  Even if one of the
core 5 kernel maintainers (and there are more than that) were
compromised and trojans were installed on all their systems, there are
enough untainted versions (probably thousands) available to validate the
code. I'd be surprised if that weren't already completed.

Sure, I'd change my ssh-keys if I were a core contributer.  `ssh-keygen`
isn't **that big of a deal.**  Then `ssh-copy-id` pushes the new keys to
remote systems pretty easily.  Used it yesterday on a new VM.

What am I missing?


On 09/01/2011 09:13 AM, Ron Frazier wrote:
> I'd hate to see a Trojan get into the kernel and auto update to my PC.  
> Hopefully, that's not likely.  Hopefully, it's not possible.
> 
> Ron
> 
> On 9/1/2011 8:10 AM, Watson, Keith wrote:
>> Security breach on kernel.org
>> https://www.kernel.org/
>>
>> Earlier this month, a number of servers in the kernel.org infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure.
>>
>>
>> There is more information on their home page.
>>
>> keith
>>


More information about the Ale mailing list