Everything is better in the cloud?
Score one for hosting your own critical infrastructure.
If you have fetched anything from Gentoo's GitHub-hosted repositories today, dump those files – because hackers have meddled with the open-source project's data. The Linux distro's officials sounded the alarm on Thursday, revealing someone managed to break into its GitHub organization account to modify software and webpages …
Gentoo is one of the few Linux distros not infected by systemd.
Systemd is M$ evil EEE Linux master plan, they "sponsor" RedHat, SUSE, Canonical, etc. In case a distros doesn't obey, they threat them to sue them out of business, Mafia-style business methods.
Now that M$ bought GitHub, M$ changed the source code of Gentoo. Unfortunately, some found out about mismatching files, and good that Gentoo has their own servers with the original Git repo.
If you happened to download a fresh .iso, and have no or inadequate connection to the Strong Set, then you have a bootstrap problem.
Anyone else should surely be protected by a chain of trust leading at the very least back to what they originally installed, and supported by signatures within the Strong Set.
Or are you suggesting that (of all things) a techie-oriented Linux distro has no basic security in its distribution? That Gentoo is doing the spooks' bidding by laying itself wide open to the insertion of spyware, government-sanctioned or otherwise?
From TFA:
"Since the master Gentoo ebuild repository is hosted on our own infrastructure and since GitHub is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org," Warner said."
So yeah, there's a chain of trust, unless you chose not to follow it and to download from Github instead.
Where you download from should have very little bearing on security. A cryptographic chain of trust works just as well with something off the back of a lorry as with the most trusted origin.
I wouldn't rely on a "gentoo.org" address for my security: that would open me to any number of attack vectors. Verifiable PGP signatures of verifiable gentoo personnel work altogether better.
Is it a coincidence that " Hardened Gentoo" seems to have been languishing since at least Jan 2016? https://wiki.gentoo.org/wiki/Talk:Hardened_Gentoo - a question about documentation ("what is 'cd grub?'") was responded to, but not answered. A second "discussion" was started in Dec 2017 about the need for updates to the wiki page. Now, I understand much or all of the work of this project has migrated or been subsumed into Gentoo's SELinux, but the old stuff has been left dangling in the wind, as it were. Disinterest seems to have affected, or infected!, the Gentoo project! What is going on there?