According to NakedSecurity.sophos.com: Gentoo, a popular distribution of Linux, has had its GitHub repository hacked. Hacked, as in “totally pwned”, taken over, and modified; so far, no one seems to be sure quite how or why. Now this is exemplary in code management: The Gentoo team didn’t beat around the bush, and quickly published an unequivocal statement about the breach. The Gentoo GitHub repository is only a secondary copy of the main Gentoo source code. The main Gentoo repository is intact. All changes in the main Gentoo repository are digitally signed and can therefore be verified. As far as we know, the main Gentoo signing key is safe, so the digital signatures are reliable. since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.