After, faces a Security Breach

The cluster saw a security breach on two of its machines on Sunday. Following the breach, was taken offline, and although most of it is back online now, some deprecated projects are being removed. The FreeBSD project has not been able to confirm the existence of trojans, but users are advised to be vigilant about the possibility.


The breach was made possible by a leaked SSH key, which affected a few clusters. This is not a result of a hack, but a classic example of people being the weakest point in security. FreeBSD has stepped up in its efforts to mitigate this risk, and a part of its response reads,

As a result of this event, a number of operational security changes are being made at the FreeBSD Project, in order to improve our resilience to potential attacks. We plan, therefore, to rapidly deprecate a number of legacy services, such as cvsup distribution of FreeBSD source, in favor of our more robust Subversion, FreeBSD-update, and portsnap models.

Although the rogue developer had no access to the FreeBSD base systems, he did have access enough to compromise the third party packages. is conducting security audits and will come out with news of possible breaches if any. The full compromise report and safety precautions are available at this page.

Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at You can connect with him on Twitter @ckandroid.