FreeBSD Open Source OS Breached. Should We Be Worried?
From the "Here We Go Again' files:
The open source FreeBSD project publicly revealed on Saturday November 17th, that an intrusion had been detected in their server infrastructure on Sunday November the 11th.
Why the week delay? I don't know. According to a FreeBSD email, the affected machines were taken offline for analysis as a precaution.
According to FreeBSD, " We have found no evidence of any modifications that would put any end user at risk."
However on further analysis the FreeBSD security team also noted that, "…a package set uploaded in preparation for the upcoming FreeBSD 9.1-RELEASE could not be verified, and so was removed."
"As a result of this event, a number of operational security changes are being made at the FreeBSD Project, in order to further improve our resilience to potential attacks," FreeBSD stated.
Unfortunately, these kind of breaches seem to happen every so often. Debian has been hit in the past as has Fedora and even the Linux Foundation.
Breaches occur. That's reality.
What's more important though is that they are identified and that the open source development process can adjust rapidly. With the distributed nature of open source development, there are a lot of devs all over the place. Yet it is that centralized nature of the servers, sha1 hashes and even subversion that can contain and mitigate risk quickly.