最近 portsnap fetch update で更新が入ってこないので何かあったのかなと思っていたら、不正侵入があったらしい。

On Sunday 11th November 2012, two machines within the FreeBSD.org infrastructure were found to have been compromised. These machines were head nodes for the legacy third-party package building infrastructure. It is believed that the compromise may have occurred as early as the 19th September 2012.

The compromise is believed to have occurred due to the leak of an SSH key from a developer who legitimately had access to the machines in question, and was not due to any vulnerability or code exploit within FreeBSD.

To understand the impact of this compromise, you must first understand that the FreeBSD operating system is divided into two parts: the "base" maintained by the FreeBSD community, and a large collection of third-party "packages" distributed by the Project. The kernel, system libraries, compiler, core command-line tools (e.g., SSH client), and daemons (e.g., sshd(8)) are all in the "base". Most information in this advisory refers only to third-party packages distributed by the Project.

No part of the base FreeBSD system has been put at risk. At no point has the intruder modified any part of the FreeBSD base system software in any way. However, the attacker had access sufficient to potentially allow the compromise of third-party packages. No evidence of this has been found during in-depth analysis, however the FreeBSD Project is taking an extremely conservative view on this and is working on the assumption that third-party packages generated and distributed within a specific window could theoretically have been modified.

詳細を読んでみると、改竄されていないことが確認できないのは、ports のバイナリパッケージと、svn.freebsd.org やそのミラー以外から取得した ports（cvsup や csup で取得してたらこれですね）とのこと。

base システムや portsnap で取得した ports は大丈夫だったようなので、まずは一安心。