This hack was discovered on August 28th. Currently all kernel.org boxes are offline to do a backup and are in the process of doing complete reinstalls.
How the hackers managed to gain root access is currently unknown and is being investigated. The maintainers of kernel.org are in the process of doing an analysis on the code within git, and the tarballs to confirm that nothing has been modified.
Until then, say goodbye to the Android repository:
[root@localhost WORKING_DIRECTORY]# repo sync android.git.kernel.org[0: 220.127.116.11]: errno=Connection refused android.git.kernel.org[0: 18.104.22.168]: errno=Connection refused android.git.kernel.org[0: 2001:6b0:e:4017:1972:112:1:0]: errno=Network is unreachable android.git.kernel.org[0: 2001:500:60:10:1972:112:1:0]: errno=Network is unreachable fatal: unable to connect a socket (Network is unreachable) error: Cannot fetch platform/bionic
One of the Linux Kernel developers, Jon Corbet stated that:
Kernel.org may seem like the place where kernel development is done, but it’s not; it’s really just a distribution point. So when we say that we know the kernel source has not been compromised on kernel.org, we really know it.
Neverthless I hope that you checked the PGP signatures after downloading source codes from kernel.org repositories, because these files could be altered by hackers.
From a pure git perspective, the hackers will have a very hard time rewriting any commit history, as changing a commit’s SHA1 hash will trigger a cascading effect on the hashes of all child commits, so anyone with an existing clone of the repos would immediately know the repo has been corrupted when doing a pull.
Unfortunately while you can’t modify GPG signed tag commits, you can modify non signed commits (aka any commit that isn’t a tag) and it’ll get signed when it gets tagged.
You can read the official annoucement here.