Hacker News new | past | comments | ask | show | jobs | submit login

Hijacking top comment...

We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities. Canonical has removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected.

Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected.

We plan to post a public update after our investigation, audit and remediations are finished.

Thank you, your trust in Canonical is important to us, which is why we make privacy and security a priority.

-David on behalf of Canonical

At least it wasn't as juvenile as the (possible actual) juvenile "hack"[0] of Gentoo's repos that had insertions of "rm -rf /" at the wrong places (where they wouldn't even execute) and insertions of racial slurs into readmes.

[0] https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident...

I just recall the takeover of the Lubuntu project by this kid, kicking out all others and his attempt to threaten others in the project at Christmas time as a ubuntu tm licensee for his website impostering as a Ubuntu trade mark owner. His forged evidence provided worked with Github staff to get others blocked. I don't trust Ubuntu accounts anymore and I don't trust Canonical because they let it happen.

Thank for the update, David. Would this be an affected store? https://us.images.linuxcontainers.org/images/ubuntu/bionic/a...

From our investigation so far, they do not appear to be, No.

Launchpad doesn't look very trustworthy either: https://launchpad.net/projects/+all

Launchpad is public, think GitHub but for packages. The Canonical Launchpad repositories weren't tampered. Presumably a lot fewer people have commit access to LP since it's used for package distribution.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact