[iBercovich]

This is a valid argument against open source operative systems running top clearance environments such as the military / police / government agencies. If this modifications had gone undetected for a few months, it's possible that the compromised code could have made it into a lot of critical systems.I am a Linux user, but I remember this being a Microsoft argument in the past for promoting their OS to run in government agencies.

[mindstab]

no modifications to the code appear to have been made. Like they said, that would be hard/impossible because it's all signed off by Linus in git, so ever if they compromised the server it gets them nothing. They'd then have to compromise some accounts and submit patches and still get them approved.

This argument is completely bogus. I could just as easily have happened to any one else including Microsoft, and in those cases we might not even have heard about it.

It already has happened repeatedly to some hardware vendors where an actual payload was injected into their drivers, and they weren't open source.

Between open source and git it's dramatically more likely an injected payload would be detected long before dissemination could take place.

[kevindication]

Go with "impossible." Gov't agencies don't just upgrade every time a new kernel comes out.

[ars]

Did you actually read the page? Because it says exactly the opposite. It says that it would be impossible to modify the source without hundreds of people noticing immediately.

[keypusher]

No, it isn't. Imagine someone got a developer's username and password at Microsoft. Then they logged in and managed to escalate themselves to Administrative privileges on the box that manages Windows source control via a security vulnerability. They then injected some backdoor access into Window's networking code for an upcoming patch. I would argue the chances anyone at MS would have noticed this is actually lower than compared to a distributed environment (git) that is designed from the ground up to catch these kinds of things. There is nothing about a proprietary system that makes this kind of thing any less likely.

[lallysingh]

How? Don't commercial OS vendors get hacked?

[mkr-hn]

Proprietary codebases aren't fortresses.

edit: And what ars said.

edit: And the chorus.

[davidw]

How long might it take for a problem to be detected were compromised Windows code to make it into critical systems?

[lgeek]

> we currently believe that the source code repositories were unaffected

So for now it looks like no compromised code has been distributed.

[recoiledsnake]

kernel.org hosts more than the GIT repo.

http://www.google.com/search?client=opera&rls=en&q=d...

[fishtoaster]

How would a proprietary operating system be better?

[pointyhat]

We'd not know about it :)

[janjensen]

What is the latest update?

[kqueue]

> Intruders gained root access on the server Hera. We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated.

This is more related to weak security policies than OS security flaw.

[dredmorbius]

It's more related to having multiple users with system access. Your security policy now extends to the security policies of all users and user systems. Password strength, system integrity (keyloggers, etc.), token security, and the like.

Hard security is hard.