It looks like someone has been attacking Savane-derived hosting platforms. Recently Savannah has been down, and the page that has now gone up confirms that they had a security breach. Unfortunately, Gna! has a similar code-base, and their site now confirms that they are investigating an issue too.

This has a knock-on issue for Bongo, since we use Gna! hosting. Our download area appears to still be alive, and thankfully we have always signed the releases. You can check a release of Bongo quite simply:

  gpg --verify bongo-0.6.1.tar.bz2.sig bongo-0.6.1.tar.bz2

This should result in a confirmation that the file is correctly signed with the key 9B6913D7, which is available on public webservers – just search for that ID.

We will check the SVN repos and other parts of the project when Gna! comes back on line to ensure that these have not been attacked; but I can say with some confidence that we have no reason to expect that r1323, the current HEAD, has anything nefarious in it whatsoever. Certainly, if the security breach was as recent as Savannah’s appears to be, there is nothing to fear.