[Mesa-dev] Mesa master branch: forced update

Kristian Høgsberg krh at bitplanet.net
Tue Jul 10 13:54:48 PDT 2012 

On Tue, Jul 10, 2012 at 4:24 PM, Ferry Huberts <mailings at hupie.com> wrote:
>
> On 10-07-12 22:13, Kenneth Graunke wrote:
>>
>> On 07/10/2012 12:50 PM, Tom Stellard wrote:
>>>
>>>
>>> I just fetched from the master branch of the fdo mesa repo and was
>>> greeted with a "forced update" message, and the gitweb interface shows
>>> several days of history are missing from the master branch.
>>>
>>> olv appears to be the last user to modify the master branch:
>>>
>>> tstellar at annarchy:~$ ls -l /git/mesa/mesa.git/refs/heads/master
>>> -rw-rw-r-- 1 olv mesa 41 Jul 10 11:41
>>> /git/mesa/mesa.git/refs/heads/master
>>>
>>> Anyone know what happened?
>
>
> Login on the server, and look at the git logs.
> The commits are not lost, just not visible.
>
> logs are in:
> <repodir>/logs
>
> or do:
> cd <repodir>
> git reflog

I already did that, there are no reflogs in the mesa git repo.  The
repo is older than the reflog feature.  The best we can do is to look
at the master ref.

It's possible that this was an attack to alter history (sneak in a
backdoor, for example, the dri drivers run as root in aiglx in most
distros).  However, the commit that was pushed matches the older
commit (which is why Kenneth was able to pull and fast-forward) and
git fsck verifies that the history hasn't been tampered with.  That
is, it is possible to hand edit a commit object to include changes
that wasn't originally there and then just force the SHA1 to match
what is was before.  git fsck will catch that, but only in a new
clone, since when you pull from an existing repo, git won't fetch old
objects.  More unlikely, history was altered in a way such that code
was inserted but the sha1 was preserved (ie sha1 was compromised).
I'm on a bad connection right now, but I'll do a fresh clone of the
mesa repo and do a git fsck there as well as comparing the contents of
a recent commit with what I have locally to see if the contents has
been changed while preserving the sha1 validity.

Of course, if you were looking to compromise the repo, you wouldn't
push back history and attract attention like this, but better safe
than sorry.

Kristian

>>> -Tom
>>
>>
>> I'm not sure what happened, but I just (non-force) pushed my copy of
>> master to restore the lost history.  Ian, Chad, Matt, Jordan, Anuj,
>> Paul, and I looked at our copies and it appeared that I had the most
>> recent history (I'd pulled literally a few hours ago).
>>
>> The new head is:
>>
>> commit 67a8ee891b2e119d826d8f830c1cbbe64ecb4f82
>> Author: Marek Olšák <maraeo at gmail.com>
>> Date:   Tue Jul 10 18:55:46 2012 +0200
>>
>>      gallium/docs: document interface changes for timestamp query
>>
>> Hopefully this doesn't make things worse...
>> _______________________________________________
>> mesa-dev mailing list
>> mesa-dev at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/mesa-dev
>>
>
> --
> Ferry Huberts
>
>
>
> _______________________________________________
> mesa-dev mailing list
> mesa-dev at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/mesa-dev

More information about the mesa-dev mailing list