/tech/ - Technology★

>>936467 (OP)

Hmm. I wonder if this means the end of the install gentoo meme.

literally nothing

>>936472

Not if people were using github to merge new software.

OH NO NO NO NO

>>936474

Did you even read the announcement?

>Also, the gentoo-mirror repositories including metadata are hosted under a separate Github organization and likely not affected as well.

>>936471

The ending of grsec kernel patches and thus pointlessness of hardened gentoo should have been reason enough to abandon that meme.

Now only OpenBSD or seL4 are the only sane OS suggestions.

>>936477

For some reason gentoo has this github and hosts software on it that they admit to. If for any reason someone has downloaded and used that software, it's possible it could be affected. I don't know what the software is, but they do and whoever downloads and uses it also does.

>>936472

>A distro I use and update from without checking sources from in literally nothing.

Cucked?

>>936487

*is

>>936487

The only point of that repo is for browsing the repository and submiting PRs. There's a seperate github account and repos for if you actually wanted to sync via git.

Just because somone was being racist, closing PRs, and force pushing some code on third party infrastructure I'm not going to pretend it's the end of the world. It's not like he was being stealthy or anything.

What else would you expect from a distribution that doesn't sigh it's packages. You could expect more security when downloading random warez from torrents rather than syncing any of gentoo's repos.

>>936550

It doesn't matter about being stealthy. It matters about making a cause and reaping what it is.

>Microshit buys github

>this happens

l

o

l

>>936556

Let me clear this up because you cleary don't understand how this works. Every package has a Manifest file listing all the hashes of the ebuilds and other files related to that package such as patches. The category the patch is in has a compressed manifest file (Manifest.gz) which contains the hash of all the manifest files for each package of the category. In the root directory there is another compressed manifest file (Manifest.files.gz) which contains a hash of every manifest file of each category. Finally in the same directory as that there is a uncompressed Manifest file which contains the hash of Manifest.files.gz and is signed with the "Gentoo Portage Snapshot Signing Key (Automated Signing Key)".

This setup allows the whole entire repository to be verified by attaching a signature to a single manifest file.

>>936471

>github

Serves them right for trusting microcuck

>>936471

Install funtoo ;^)

>hack only affecks github mirros which literally no one uses

>all he did was replace ebuilds with malicious onces

>all the malicious ebuilds do is rpretty much just m -rf /

>the malicious ebuilds don't even work and fail to execute anyway

Literally nothing.

>>936569

It's less about what the ebuilds do and more how this guy got in.

> Gentoo uses github for years without problems

> Microsoft buys github

> Suddenly entire repo compromised

I wonder who could be behind this

>no archive

http://archive.fo/SvFJ2

>>936571

What an amateur.

At least Gentoo's main code repo is self-hosted.

>>936569

Going to add in that the reason why rm -rf / doesn't work is that there is a sandbox running which will terminate the build if it's writes to a file or something like that outside of the working directory.

>>936573

OP literally linked to an archive, so why are you complaining about no archive?

>>936573

>amateur

Repeat the results you nitwit.

>>936577

See >>936569 and do that for yourself

>>936471

It's literally nothing.

Gentoo has little to do on Github.