If you have fetched anything from Gentoo's GitHub-hosted repositories today, dump those files – because hackers have meddled with the open-source project's data.
The Linux distro's officials sounded the alarm on Thursday, revealing someone managed to break into its GitHub organization account to modify software and webpages.
Basically, if you downloaded and installed materials from Gentoo via GitHub, you might be compromised by bringing in malicious code. And until the all clear is given, you should avoid fetching anything from the project's 'hub org account.
"Today, 28 June, at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there," Gentoo dev Alec Warner said in a bulletin.
"We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised."
If there is some good news to be had, it's that Gentoo does not believe the master copies of its code were tampered with – Gentoo keeps master builds separate from its GitHub-hosted wares on servers that were not hacked. Thus, penguinistas should be able to get clean copies of software without much problem via the Gentoo.org website.
"Since the master Gentoo ebuild repository is hosted on our own infrastructure and since GitHub is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org," Warner said.
"Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well."
The alert does not reveal who may have tampered with the code, how they were able to do it, or how long they were able to do it without being caught. Understandably, Gentoo is a bit light on the details as it works out the situation. ®