Haskell, an advanced purely functional programming language, has confirmed a security breach in its Debian Builds component.
According to an advisory recently posted to Haskell’s blog, “`deb.haskell.org` is currently offline due to [its] hosting provider suspecting malicious activity.”
The project’s security teams stated on February 14th that they were working to restore functionality after the breach, an incident which has apparently left all other Haskell components, including www, Downloads server, Mail, and MySQL, intact.
No external services were affected by the breach. Additionally, out of the six Rackspace data centers that support Haskell, only one—Rackspace ORD, which is located in Chicago—was involved in the breach.
Haskell is an open source community that has evolved over the past 20 years. Its features, which include type inference and statically typed, concurrent programming, were funded by prominent sponsorships, including DataDog and DreamHost.
Several groups are committed to providing an up-to-date Haskell environment and library for different operating systems. This includes the Debian Haskell Group, whose focus is Debian, a free operating system that uses the Linux kernel or the FreeBSD kernel.
On February 15th, the security team with Haskell provided some more information about the breach: “deb.haskell.org has been compromised; dating back to February 12th when suspicious anomalies were detected in outgoing traffic. `deb.haskell.org` was already offline and suspended shortly after these traffic changes were detected by the host monitoring system.”
Haskell feels that these findings mean that the window for package compromise was small. However, some are not so sure.
In a discussion thread posted on YComb Hacker News, one user ‘kfreds’ notes how Haskell has not disclosed whether the attackers were able to obtain the package signing key, a feature which is used for almost all Linux distributions.
“If the build system is compromised,” the user warns, “your Linux distribution of choice will happily give you trojaned packages that you install as root.”
kfreds then goes on to explain that a man-in-the-middle (MitM) attack would be required in the event that the package signing key has been compromised.
As of this writing, the Debian Builds server for Haskell `deb.haskell.org` was still offline.