BT Back After Security Breach

| by Alex Blewitt Follow 4 Followers on Oct 04, 2011. Estimated reading time: 1 minute |

A note to our readers: You asked so we have developed a set of features that allow you to reduce the noise: you can get email and web notifications for topics you are interested in. Learn more about our new features.

After over a month since's security breach was announced (and subsequently taken off-line), the website has been brought back on-line.

In August, an announcement that the server had become compromised with malware took the Linux community by storm. is the distribution point for the Linux source archives, as well as hosting other projects like Git. At the time, the main server "hera" was compromised, probably via an intermediary Linux machine that was also compromised.

The advice on the Kernel mailing lists, as well as linked to from the main page, is for developers to consider their machines as potentially tainted, and to regenerate all their GnuPG keys. Since GnuPG relies on a web-of-trust between developers (rather than a known list of root certificates, which are known to have problems like the recent collapse of Diginotar), this requires that Kernel developers physically meet up in order to counter-sign their new keys. separate advice recommends the use of root detectors (such as Chrootkit, ossec-rootcheck and rkhunter. If there is any doubt, a clean re-installation will allow verification of any rogue systems, as will booting from a LiveCD and performing package scans such as rpm --verify all.

Fortunately, it is not likely that the Kernel source code, which is stored in a Git repository, is compromised. Since Git stores content identified by its SHA-1 hash, if any files were changed then this would immediately show up as a different version of a file. Changes, both pushing and pulling would detect this discrepancy and can easily be notified. In addition, the fact that the Git repository is replicated means that many copies exist over the internet, each of which has the same hashes; so a verification of known good values is possible to calculate for any developer who has a recent checkout of the repository.

A full-write up of the security breach is expected shortly.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you