[linux-elitists] Rooted kernel.org hosts (was: PJ takes her victory lap)

Greg KH greg at kroah.com
Wed Aug 31 20:43:34 PDT 2011


On Wed, Aug 31, 2011 at 08:31:18PM -0700, Rick Moen wrote:
> I'm curious about two points not (to my knowledge) yet covered, probably
> for the simple reason that there hasn't been enough time for proper
> forensics:
> 
> 1. What was the escalation path to root?

The people working on this have not had time to write up the details
yet.

> 2. Completely aside from the git repo contents, were the downloadable
> *.tar.[gz|bz2] source archives trojaned?

Not that has been detected so far, but verification is currently
happening to ensure this.

> Are there any non-site-local mechanisms in place to detect such
> tampering (other than, of course, the fact that the Linux Kernel
> Archives OpenPGP key is well known, and some of us bother to check the
> *.tar.[gz|bz2].sign files?

Yes, the design of git makes it almost impossible to tamper with, and
the tarballs can be regenerated from any git tree to verify the
integrity of them.  You can do this yourself if you want to ensure this.

greg k-h


More information about the linux-elitists mailing list