On Sun, Mar 31, 2019 at 11:55:57AM -0700, Mike Bird wrote: > On Sun March 31 2019 10:55:22 KatolaZ wrote:
> > We know. Seems to be quite serious. No access to our infra. We are
> > working on it, and we will post updates. :\
> Assuming you still control your DNS you could immediately remove
> and later replace *.devuan.org to reduce the number of people
> accessing/downloading potentially compromised material.
> Here at yosemite.net we have stopped ALL package updates/installs
> until we know more.
Just an update on the current situation: it looks like the machines on
which pkgmaster (the main package repository server) and amprolla are
run are safe. They are on a separate piece of infrastructure and there
have not been compromised.
So packages from pkgmaster.devuan.org, packages.devuan,org, and
deb.devuan.org should be safe anyway (and the repos are signed, so any
inconsistency would be immediatedly flagged by apt).