
Canonical Ltd source code repositories have been compromised - rvnx
https://github.com/CanonicalLtd
======
jammygit
So... what’s the risk? If a person updated their Ubuntu computers this or last
week, are they in trouble?

~~~
dpb1
Hijacking top comment...

We can confirm that on 2019-07-06 there was a Canonical owned account on
GitHub whose credentials were compromised and used to create repositories and
issues among other activities. Canonical has removed the compromised account
from the Canonical organisation in GitHub and is still investigating the
extent of the breach, but there is no indication at this point that any source
code or PII was affected.

Furthermore, the Launchpad infrastructure where the Ubuntu distribution is
built and maintained is disconnected from GitHub and there is also no
indication that it has been affected.

We plan to post a public update after our investigation, audit and
remediations are finished.

Thank you, your trust in Canonical is important to us, which is why we make
privacy and security a priority.

-David on behalf of Canonical

~~~
gaia
Thank for the update, David. Would this be an affected store?
[https://us.images.linuxcontainers.org/images/ubuntu/bionic/a...](https://us.images.linuxcontainers.org/images/ubuntu/bionic/amd64/default/)

~~~
dpb1
From our investigation so far, they do not appear to be, No.

------
theshadowknows
While it’s troubling that this happened isn’t it sort of cool that it’s out in
the open for everyone to see? At least due to open source the community can
know what happened and even look for changes.

~~~
dhimes
What sucks is that I _just_ updated WSL immediately before coming to this
article. Hopefully it's ok.

------
sp332
I only see a list of files. Can you link to something more specific?

~~~
SuperH00man
some stranger repos have been created and there is this issue
[https://github.com/CanonicalLtd/CAN_GOT_HAXXD/issues/1](https://github.com/CanonicalLtd/CAN_GOT_HAXXD/issues/1)

~~~
johannes1234321
Removed or made private (I see a 404 error only)

~~~
SuperH00man
Somebody on twitter took some screenshot
[https://twitter.com/dclauzel/status/1147525512794988544](https://twitter.com/dclauzel/status/1147525512794988544)

~~~
dClauzel
Yes, somebody did ;)

~~~
apt-get
Air France représente !

~~~
remify
Do you mean Air Rance

~~~
dClauzel
Ah, I see you’re a man of culture as well

------
tariof
It shows 10 empty repositories with names CAN_GOT_HAXXD_%d and age 2 hours.

------
yourfather
I was told this several hours ago on IRC - this is not an official statement:

someuser@somewhere.canonical.com: I can confirm that we're aware of the issue,
have done some initial remediation (e.g. shutting down CI systems that might
pull potentially compromised code) while we do a more in depth investigation.

someotheruser@ubuntu/member/username: And we've of course revoked the access
that was abused.

------
rasengan
We are lucky that they decided to vandalize instead of hiding something.
Remember, on Github you can actually submit your commit with another’s email,
and github automatically puts the identity associated with the email allowing
people to spoof.

Always sign your commits!

~~~
chrisseaton
> We are lucky that they decided to vandalize instead of hiding something.

How on earth do you know they haven't done both?!

~~~
tus88
Git commit hashes are pretty safe.

~~~
chrisseaton
Aren't they changing the hash algorithm specifically because they're no longer
safe?

~~~
tus88
Theoretically no longer safe, but to insert a compromise commit matching
another one that looks like normal code is close to impossible.

------
giancarlostoro
Are these not just mirrors though or do they actually use git? Woulda thought
they used SVN primarily since they pull from Debian? Or do they just pull
tarbals... And this all leads to me wondering how they do their process...
Anybody got good docs on how Ubuntu or similar distros that base off a parent
distro do their work?

~~~
kevinoid
First, I would like to challenge the assumption that Debian primarily uses SVN
for packaging. We can get a rough idea from the use of Vcs-$name package
metadata in the testing distribution:

    
    
      </var/lib/apt/lists/*_debian_dists_testing_main_source_Sources.lz4 unlz4 |
        sed -n '/^Vcs-Browser:/n;s/^Vcs-\([A-Za-z]*\): .*/\1/p' |
        sort |
        uniq -c
    

On my system this gives:

    
    
          4 Arch
         72 Bzr
          5 Cvs
          5 Darcs
      24168 Git
         21 Hg
         21 Mtn
        603 Svn
    

Which shows that git is the overwhelming favorite and about 40 times more
popular than SVN for packages which provide VCS metadata.

The sources can be pulled directly from Debian as tarballs using
[syncpackage]. Ubuntu maintainers are free to use their preferred VCS for
maintaining Ubuntu-specific packaging. Using the same VCS as the Debian
maintainer (or upstream developer) is often convenient, but not required.

[syncpackage]:
[https://manpages.ubuntu.com/manpages/precise/man1/syncpackag...](https://manpages.ubuntu.com/manpages/precise/man1/syncpackage.1.html)

~~~
jobigoud
Surprised to see the same number for Monotone than for Mercurial.

------
gionn
It looks like they have already recovered everything.

------
PatrolX
Two people have been removed since this occured.

------
tsjq
does that imply Ubuntu code might've been compromised , and some trackers /
keylogger codes planted ?

------
chris_wot
Uh, this is worrying.

