Respository vandalism by root at ...fd.o
Peter Hutterer
peter.hutterer at who-t.net
Wed Nov 24 00:33:19 PST 2010
On 24/11/10 18:00 , Eirik Byrkjeflot Anonsen wrote:
> 1. What systems do we have in place that enables us to detect when a
> "trusted admin" acts in "bad judgement" or with "evil intent"? What
> is the probability that such actions will be noticed? Can we do
> anything to increase this probability?
>
> 2. What systems do we have in place that enables us to detect "evil
> commits" once they actually make their way into the repository? What
> is the probability that they will be noticed? Can we do anything to
> increase this probability?
git is designed to not be screwed with easily, so the chance of bad
commits being detected is quite high.
for well-maintained repositories, we tend to notice quite quickly. I'm
sure keith would notice whenever he can't push to xserver because no-one
else is supposed to commit to it.
The same is true for other repositories, so the best safeguard here is
"active maintainership".
> 3. When incidents are detected (break-ins, abuse of admin rights, evil
> commits, what have you...), what processes are in place to deal with
> this? What information is published, and in which fora, and when?
> What investigations are performed, and what actions are carried out
> as a result of such investigations? Where are these processes
> documented?
I think in this particular case, a large number of insiders likely
assumed a prank before it was called out. There is a history of
disagreements between some of the X.Org developers and Luc and the
radeonhd project, so having this happen to this particular repository is
not that surprising after all (Note, this does not excuse the action,
merely explain some of the reactions). I'd have been more worried if
that had happened to e.g. the xserver repo.
I don't think we have any official processes right now and certainly
none documented. Sending emails to the list to raise awareness is a good
approach IMO and Luc's first few emails were informative. The later part
of the thread somewhat lost usefulness when it descended to the usual
fights, conspiracy theories and name-calling. Staying on-topic should be
an essential part of any official process...
Cheers,
Peter
More information about the xorg
mailing list