Kernel.org has been hacked (see site news)

From a pure git perspective, the attacker(s) will have a very hard time rewriting any commit history, as changing a commit's SHA1 hash will trigger a cascading effect on the hashes of all child commits on down the DAG from the one that they change.<p>Anyone with an existing clone of the repos would immediately know the repo has been corrupted when doing a pull (although fresh clones wouldn't be as lucky of course).

If the security at kernel.org has been breached, then I don't know what to think about me, the little guy - who runs a small VPS - or about the small start-ups out there. I guess having secure systems is not that easy after all, and people overlook this or fail to allocate enough resources to this process.

I have a question. They note they have notified officials. I've tried notifying the FBI after our sites have been hacked, but they are not interested in it. Is there some other place to report? Does anyone really investigate this stuff?

id like to point out that while you can't modify tagged+gpg signed tag commits, you can modify non signed commits (aka any commit that isnt a tag) and it'll get signed when it gets tagged.<p>that's also assuming that tags are gpg signed, which they often are not,even on kernel.org<p>non signed can be actually tampered with and they do need to check the code thoroughly with 3rd party older archives which is a PITA.<p>Code signing &#62; x, including per commit signing mr Linus T and GIT maintainers.<p>Note that they were against per commit signing because "when you sign the tag, you sign everything so its ok".<p>Except you wont read all the patches you sign when you sign the tag, and if any has been modified, as explained, you don't know. Again, per commit signing solves it.<p>Food for though I guess.

Thank god for Git.

Anyone know how this affects the ArchLinux packages? kernel.org is still the fastest mirror around for them.

I wonder what was the reason behind this?

&#62;However, it's also useful to note that the potential damage of cracking kernel.org is far less than typical software repositories<p>What about code that's hosted on kernel.org itself? Isn't kernel.org a source for the public to get the kernel and not git?<p><a href="http://www.kernel.org/pub/" rel="nofollow">http://www.kernel.org/pub/</a> ftp://ftp.kernel.org/pub/ rsync://rsync.kernel.org/pub/<p>It would be easy for the exploiter to insert trojaned/rootkitted kernels into those places.

if md5 of files exist then there seems no prob.

This is a valid argument against open source operative systems running top clearance environments such as the military / police / government agencies. If this modifications had gone undetected for a few months, it's possible that the compromised code could have made it into a lot of critical systems.I am a Linux user, but I remember this being a Microsoft argument in the past for promoting their OS to run in government agencies.