ROS Resources: Documentation | Support | Discussion Forum | Index | Service Status | ros @ Robotics Stack Exchange
Ask Your Question

[clarification] Packages built during potential compromise in 2019

asked 2019-06-17 09:07:14 -0600

130s gravatar image

updated 2019-06-17 09:47:15 -0600

First of all apologies for my nescience about the recent security issue on buildfarm but I truly appreciate the quick turnout!

For the packages that are built and distributed while the security problem was present, is there any clarification and recommendation for how to deal with them?

I can imagine there might be many computers out in the world that have those packages installed on, and I wonder if those packages need to be wiped out. If upgrading packages is recommended, for some of those systems (e.g. production system deployed at users site) it might not be trivial to do so.

The best thing closest to the information I'm looking for is from by @nuclearsandwich, from which I'm not yet sure about the type of packages I'm concerned of:

So far we have no indication that the intrusion was anything more than a commodity attack by a group looking to hijack CPU cycles. But we are unlikely to ever be able to completely rule out malicious interference in the ROS binary packaging pipeline. So in an abundance of caution we are (i) continuing to rebuild everything that we reasonably can and (ii) relocating the rest.

edit retag flag offensive close merge delete



I'm not an authority here (hence the comment), but seeing as all packages have been rebuilt from scratch, installing all available updates should get you "in the clear".

gvdhoorn gravatar image gvdhoorn  ( 2019-06-17 13:09:10 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2019-06-17 13:20:32 -0600

tfoote gravatar image

As @gvdhoorn says, the recommendation is to update to the latest packages which have been all rebuilt from source.

There is no known compromise of any of the older packages, but it's recommended to use the rebuilt versions to be sure.

edit flag offensive delete link more

Question Tools



Asked: 2019-06-17 09:07:14 -0600

Seen: 141 times

Last updated: Jun 17 '19