Server breach likely to delay GNOME
In the sixth compromise of an open-source development project in the past year, the GNOME Project says its servers were apparently breached.
In an e-mail alert sent Tuesday, the managers of the project told developers that they had found evidence indicating that the server hosting GNOME.org had been breached. GNOME and its rival KDE provide the two major desktop systems used on computers running the Linux operating system.
"We are investigating further and will provide updates as we know more," Owen Taylor, a member of the GNOME system administration team and a software engineer for Red Hat's desktop group, stated in a two-paragraph advisory on the GNOME Announcements mailing list. "We hope to have the essential services hosted on the affected machine up and running again as soon as possible."
Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section. | ||||
The short message also stated that the administrators believed the source code repository, which contains the current development work on GNOME software, was unaffected by the breach.
A member of the GNOME development team said that the next version of the software, GNOME 2.6, will likely be delayed a few days while the project members investigate the breach. The software was scheduled to be released on Wednesday.
"We don't expect any significant effect on GNOME development," the team member said on condition of anonymity. "Because it happened right before the 2.6 release, we'll probably have to push (the release) back a few days but that should be all."
The apparent trespass is the latest blow for the security of open-source development projects.Get Up to Speed on... Open source Get the latest headlines and company-specific news in our expanded GUTS section. | ||||
Members of the GNOME Project noticed some "suspicious processes running on the GNOME.org" server, said the developer. An investigation revealed several files in a temporary directory that led the team to believe that someone was able to run commands and to search for vulnerabilities.
"As far as we know at this point no damage was done other than the loss of services while we clean up and get things back in place," said the team member. "We're, of course, investigating thoroughly to make sure that we know the full extent of the break-in and will provide a full update to the community when we finish that."