[Gluster-devel] Gluster infrastructure security update

[Amye Scavarda]

In a recent audit of the overall Gluster.org infrastructure, we discovered
an intrusion into a little-used server. As a result, we are notifying the
community of the intrusion which we do not believe has compromised any of
the GlusterFS code or packages offered to the community. However, in an
abundance of caution, we are sharing steps we are taking as a result,
including replacing the download area of Gluster.org’s infrastructure.

More detail: The legacy server in question was no longer being used for
development and was not hosted within the main Gluster Project
infrastructure. The intrusion occurred in 2013-2014.

We believe the intrusion was a result of a brute-force password attack, and
the attackers were attempting to use the compromised infrastructure as part
of a botnet. Red Hat’s information security team has found no evidence that
the intruders attempted to access any parts of the critical release
infrastructure, and there is no evidence that any of Gluster’s code or
binaries were tampered with.

Plan: We are accelerating our plans to replace our download server. As an
extra measure we will also update the Gluster Project’s package signing
keys.

Security and the trust of the community is of utmost importance to us. We
wanted to share this information so that the Gluster community was aware of
the reasons for any infrastructure changes. We also want to note that we
are making a number of scheduled changes to improve the Gluster
infrastructure, and will soon open a discussion about how interested
members of the Gluster community can participate in managing project
infrastructure.

-- 
Amye Scavarda | amye at redhat.com
<javascript:_e(%7B%7D,'cvml','amye at redhat.com');> | Gluster Community Lead


-- 
Amye Scavarda | amye at redhat.com | Gluster Community Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.gluster.org/pipermail/gluster-devel/attachments/20151021/e620804d/attachment.html>