The Linux Kernel Archives, the primary site for distribution of the code at the heart of all Linux-based PCs, routers, smartphones and tablets, has come back on-line after an extended outage which followed a security breach.
The site was taken down when it was discovered that unknown attackers had access to the main Kernel.org server, Hera, in an attack which is thought to have occurred up to seventeen days prior but which had gone unnoticed up to that point. As a precaution, the entire site was taken down temporarily.
That temporary outage became extended as the team behind the site struggled to plug the hole which had allowed the attackers to gain access, while also reviewing the site's contents to ensure that no backdoor code had been inserted to allow the attackers back in.
At the time, the Linux Foundation's Jonathan Corbet described the attack as 'embarrassing,' but denied that it represented a security concern for Linux in general. "What self-respecting cracker wouldn’t want an opportunity to place some special code into the Linux kernel? Such code would, over time, find its way into millions of machines worldwide," he said.
"If kernel developers worked by shipping simple files of source code around, they might well be vulnerable to malware added by an intruder. But that is not how kernel development is done," Corbet claimed. "The code for the kernel - and for many other projects - is managed with the 'git' source code management system. And git does not allow the code to be modified by third parties without people knowing about it."
Nevertheless, it was considered prudent to give the Kernel.org site and all its associated projects a thorough review before allowing it to be rebooted - a process which has now been completed, with the main site up now as part of a phased restoration.
"We have taken the time to rearchitect the site in order to improve our systems for developers and users of Kernel.org," the site's maintainers have stated as an explanation for the two-month outage. "Thanks to all for your patience and understanding during our outage and please bear with us as we bring up the different kernel.org systems over the next few weeks. We will be writing up a report on the incident in the future."
For project maintainers who hosted on Kernel.org, the site's operators have posted a set of instructions on the mailing list for creating new cryptographic keys for code signing, which must be cross-signed by other developers in order to create a 'web of trust' which should guarantee the security of future updates.
Until the instructions are followed, the group warns, projects will not be re-hosted on the site.