FreeBSD Project is now reporting that several machines have been broken
into. After a brief outage, ftp.FreeBSD.org and other services appear to be
back. The project announcement states that some deprecated services
(e.g., cvsup) may be removed rather than restored. Users are advised to
check for packages downloaded between certain dates and replace them,
although not because known trojans have been found, but rather because the
project has not yet been able to confirm that they could not exist.
Apparently initial access was via a stolen SSH key, but fortunately their
clusters were partitioned so that the effects were limited. The announcement
contains more detailed information — and we are left wondering, would
proprietary companies that get broken into so forthcoming? Should they be?