Today Linode announced that their database was attacked[1]. Clojars is hosted on Linode, and while we have no evidence that the attackers used their access to break into the VPS instance which hosts Clojars, we can't rule out the possibility. Other VPS instances[2] have been broken into.
Apparently the attack happened two weeks ago. In order to confirm that there was no attack, we want to verify checksums of all the artifacts we can based on copies that were fetched before the attack. If you run a private proxying internal repository for your company, you can help us verify checksums. I'll be posting a follow-up soon with some code you can use to calculate and publish checksums so we can investigate discrepancies. At this point you should be aware that there is some risk in continuing to pull artifacts from Clojars while the verification is in process. If you have a private proxying repository, you may want to disable the Clojars source to avoid pulling in any new possibly-compromised artifacts and possibly clear out any artifacts that were fetched within the past two weeks. If you can help out with the verification process, please join the #leiningen channel on freenode or reply to me personally. thanks, Phil [1] - http://blog.linode.com/2013/04/16/security-incident-update/ [2] - http://seclists.org/nmap-dev/2013/q2/3 http://p.hagelb.org/clojars-compromise-ann.html
pgpt2OK8ngk1f.pgp
Description: PGP signature
