kernel.org compromised 2011; Linux source not at risk because of distributed Git copies

In August 2011, kernel.org — the canonical hosting site for the Linux kernel — was compromised by attackers who obtained root access on multiple servers and ran modified versions of OpenSSH and other utilities (S-0023).

The compromise of the central distribution point did not compromise the source code. Thousands of developers held independently verifiable Git clones of the kernel repository. The cryptographic hash chain Git maintains over its commit history made tampering with any single clone immediately detectable: a modified commit produces a different hash, breaking the chain. The kernel community could verify against any clone whether what was on a specific server matched the trusted history.

This is the architectural property C-0007 asserts: integrity is mathematically verifiable rather than procedurally trusted. The kernel.org event is the strongest available natural experiment in the difference between Tier 1 (trust the host) and Tier 3 (verify by inspection). The same compromise on a Tier 1 archive would have been a preservation event because tampering could not have been independently detected. On Git's content-addressed substrate, the compromise was a security incident at a distribution point; the source itself was structurally protected.

The case is also empirical evidence that the architectural property is not academic. The Linux kernel is among the most consequential open-source artifacts in computing history; its survival of an active attack against its central host is a demonstration that the architecture works under adversarial pressure.