Re: Respository vandalism by r...@...fd.o
On Wed, 2010-11-24 at 11:25 +0100, Maarten Maathuis wrote: If Adam indeed did this, and did not undo it afterwards, then he is having at least some (mental) issues. He did the right thing by disabling his admin account, because he obviously has some things to sort out. While the action itself is minor, the causes for doing it probably are not. Just encourage Adam to work out his problems. Trust can be rebuilt, it just takes (a lot of) time and an effort on his side to sort out his life. Yeah, let's just leave it at that, that's really all the psychoanalysis I feel comfortable with in public. My emotional state is not great. I've burned quite a lot of trust and reputation here, and that's not something I wanted. All I can do is apologize, dust myself off, and start again. - ajax signature.asc Description: This is a digitally signed message part ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: companies contributing to X [was: Re: Respository vandalism by r...@...fd.o]
Matthew Garrett wrote: The lack of documentation for various aspects of the server doesn't help either. I found X development far more intimidating than getting involved in the kernel. That is something we know we've been lacking for a long time, and have been working to correct. So far most of the efforts have been around getting the docs to a place where people can edit them and then have the toolchain around to see the html/pdf/etc. output. (Matt Gaetan have made amazing progress here over the last year after years of the rest of us talking about it, though most of that is around client library protocol level documentation, since that's where the bulk of our existing documentation is, and not so much server/driver side.) For Xorg 1.9, I got the server internals docs in-tree and building with the standardish xmlto tools - now comes the hard part of getting them up-to-date again and having useful contents. The X.Org Board has recently approved Bart's proposal to set aside a few days before the 2011 X Developer Conference for a book sprint to produce documentation for developers and hopefully we'll be able to build upon the existing docs, Matt's Summer of Code KMS docs, and Stephane's draft driver writing guide to actually have some good docs for people. -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: companies contributing to X [was: Re: Respository vandalism by r...@...fd.o]
On Wed, Nov 24, 2010 at 02:56:32PM -0700, Matt Dew wrote: This I'm curious about. Are there more companies that feel it's too-hard/not-worth-while for companies to contribute stuff to Xorg? I know the linux kernel has this issue, but is X's contribution difficulty larger? I think X faces the problem that our approach to code quality is pretty similar to the kernel, but the number of skilled coders with domain experience is much smaller. There's a pretty strong cultural mismatch between our willingness to accept patches and people's willingness to submit them. Vendors are willing to argue that their component suppliers have in-kernel drivers, but X.org's modular development model makes it far easier for those suppliers to argue that an out of tree X driver is equivalent to something that's maintained within X.org. The unsurprising outcome is that drivers in X.org only tend to be regularly updated if they have someone who can work with the X.org community. If they don't, it's far easier to keep the code in their own tree. Working out ways to improve this situation would seem worthwhile, but simply being more enthusiastic about accepting contributions doesn't seem like a great plan (compare the code quality of nouveau, intel and radeon to that of some of the out of tree drivers, for instance) -- Matthew Garrett | mj...@srcf.ucam.org ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: companies contributing to X [was: Re: Respository vandalism by r...@...fd.o]
but simply being more enthusiastic about accepting contributions doesn't seem like a great plan (compare the code quality of nouveau, intel and radeon to that of some of the out of tree drivers, for instance) I think that is a little naïve. There is a difference between vendors attempting to use Xorg as a dump and run for crap code, and being a bit more relaxed about obscure drivers that are otherwise unmaintained. The latter makes a good ground for people to learn the craft, as indeed can staring at some of the finest vendor Vogon poetry and turning it into something resembling C to help get it upstream. X is a bit odd in other ways - it's history has been rather closed at times which hasn't helped as it means there isn't a long standing large developer base. It consists (for much of the relevant stuff) of a very small number of very large and very complex drivers for insanely complex bits of hardware. That doesn't have the same scaling for newbies the kernel does where there are hundreds of random USB widgets you never knew you needed that make good starting points. Maintaining the old Voodoo2 driver was a bit like minor kernel hacking. I can't even imagine how KeithP fits everything he needs to know for the intel drivers into his head. Alan ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: companies contributing to X [was: Re: Respository vandalism by r...@...fd.o]
On Thu, Nov 25, 2010 at 09:23:38PM +, Alan Cox wrote: but simply being more enthusiastic about accepting contributions doesn't seem like a great plan (compare the code quality of nouveau, intel and radeon to that of some of the out of tree drivers, for instance) I think that is a little naïve. There is a difference between vendors attempting to use Xorg as a dump and run for crap code, and being a bit more relaxed about obscure drivers that are otherwise unmaintained. I don't entirely agree. If people provide code review and the vendor maintainer's attitude is approximately We're only willing to work with you if you accept our approach, I don't think that benefits us. It can be an opportunity for learning - I'm just not sure that it has been in the real world, so far. X is a bit odd in other ways - it's history has been rather closed at times which hasn't helped as it means there isn't a long standing large developer base. That's certainly true. The small number of developers has been a longstanding issue, and the fact that companies can't really just pick up an existing developer makes all of this much harder. It consists (for much of the relevant stuff) of a very small number of very large and very complex drivers for insanely complex bits of hardware. That doesn't have the same scaling for newbies the kernel does where there are hundreds of random USB widgets you never knew you needed that make good starting points. Maintaining the old Voodoo2 driver was a bit like minor kernel hacking. I can't even imagine how KeithP fits everything he needs to know for the intel drivers into his head. The lack of documentation for various aspects of the server doesn't help either. I found X development far more intimidating than getting involved in the kernel. -- Matthew Garrett | mj...@srcf.ucam.org ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Luc Verhaegen l...@skynet.be writes: On Wed, Nov 24, 2010 at 04:36:17PM +1000, Dave Airlie wrote: On Wed, Nov 24, 2010 at 4:31 PM, Luc Verhaegen l...@skynet.be wrote: See, this was exactly the problem here. It _was_ a freedesktop admin. And it was pretty clear that it was that from the onset too. Mailing fd.o admins, even if i could've dug up an email address in the split second that i wrote the email (heck, i even mistyped repository), was not the right course of action. (As an aside: maybe it would be a good idea to spend more than a split second on writing an email of this kind?) So you mailed 2 mailing lists consisting of 2-300 people who could do nothing about it? nice work. Dave. Stop the counter-attack dave, it's far too obvious what you are doing here. His response seems quite reasonable to me, assuming that he thought your intention was to get the problem looked into rather than just raising a stink. On the other hand if your intention was primarily to make a lot of noise, then clearly your action was a reasonable one. Which brings me to: The means to the end were perfectly justifiable under the circumstances, and this includes the years of experience i have with dealing with X.org community. This especially includes the experience of something as noble as the radeonhd driver project. Then what was your intended end? Has it been accomplished? As far as I can see, all you've managed to do is to create a lot of noise about what is, in itself, a fairly minor incident. Yes, it is serious that a trusted admin abuses his powers. However, that happens and will continue to happen. Humans are like that. We often show a remarkable lack of good judgement. And in this case, I think the pattern matches well with bad judgement rather than evil intent. What I'm far more worried about are the admins (and non-admins) who have made changes with evil intent that we have not noticed. I am not particularly worried about this incident, as anyone with true evil intent would not have advertised their actions like this. However, that doesn't mean that no-one have acted with evil intent, and been successful at it. There are two things that I feel are important about this: 1. What systems do we have in place that enables us to detect when a trusted admin acts in bad judgement or with evil intent? What is the probability that such actions will be noticed? Can we do anything to increase this probability? 2. What systems do we have in place that enables us to detect evil commits once they actually make their way into the repository? What is the probability that they will be noticed? Can we do anything to increase this probability? You'll notice that none of these are directly related to this incident. This incident only provides an excuse for bringing up such issues. If that was your goal, then I feel that it has not yet been accomplished, but making noise about it may have been a reasonable approach anyway. More related to this incident (and your comments) could be this issue, which I consider slightly less important than the previous two, but is still a quite significant point: 3. When incidents are detected (break-ins, abuse of admin rights, evil commits, what have you...), what processes are in place to deal with this? What information is published, and in which fora, and when? What investigations are performed, and what actions are carried out as a result of such investigations? Where are these processes documented? Of course, I have my own suspicions about the answers to all three questions, but that's not the point. The point is that the people who actually deal with these things must reflect over whether what we are doing is good enough or whether we should do better. (It goes without saying that we could do better, the question is whether it is worthwhile to spend effort on actually doing better.) I know that all this work is largely carried out by volunteers in their spare time. That doesn't make my three questions unimportant. (I'll just end by pointing out that whenever I say we above, of course I mean you, considering how much I personally have contributed to this project. Thank you for all the good work, it is deeply appreciated.) eirik ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 4:48 PM, Luc Verhaegen l...@skynet.be wrote: On Wed, Nov 24, 2010 at 04:36:17PM +1000, Dave Airlie wrote: On Wed, Nov 24, 2010 at 4:31 PM, Luc Verhaegen l...@skynet.be wrote: See, this was exactly the problem here. It _was_ a freedesktop admin. And it was pretty clear that it was that from the onset too. Mailing fd.o admins, even if i could've dug up an email address in the split second that i wrote the email (heck, i even mistyped repository), was not the right course of action. So you mailed 2 mailing lists consisting of 2-300 people who could do nothing about it? nice work. Dave. Heh. I already wasted quite some time on the actions of one of your colleagues, i guess i can waste some more time on yours. Stop the counter-attack dave, it's far too obvious what you are doing here. Paranoid much? still seeing faces in the dark? Like really if you can't answer a simple question about why you mailed 200 people who couldn't do any investigation of the issue without going off the deep end I have to wonder. Dave. The means to the end were perfectly justifiable under the circumstances, and this includes the years of experience i have with dealing with X.org community. This especially includes the experience of something as noble as the radeonhd driver project. Anything else than a similar course action would've meant that the issue would've been silenced to death. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 06:01:19PM +1000, Dave Airlie wrote: On Wed, Nov 24, 2010 at 4:48 PM, Luc Verhaegen l...@skynet.be wrote: On Wed, Nov 24, 2010 at 04:36:17PM +1000, Dave Airlie wrote: On Wed, Nov 24, 2010 at 4:31 PM, Luc Verhaegen l...@skynet.be wrote: See, this was exactly the problem here. It _was_ a freedesktop admin. And it was pretty clear that it was that from the onset too. Mailing fd.o admins, even if i could've dug up an email address in the split second that i wrote the email (heck, i even mistyped repository), was not the right course of action. So you mailed 2 mailing lists consisting of 2-300 people who could do nothing about it? nice work. Dave. Heh. I already wasted quite some time on the actions of one of your colleagues, i guess i can waste some more time on yours. Stop the counter-attack dave, it's far too obvious what you are doing here. Paranoid much? still seeing faces in the dark? Like really if you can't answer a simple question about why you mailed 200 people who couldn't do any investigation of the issue without going off the deep end I have to wonder. Dave. Not this again. It is getting rather old, and especially in light of recent events, it seems rather out of place too. Stop it, it's ridiculous. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Hi, Dave, thanks for the Cc. I've Cc-ed this to freedesktop@, since it's really a bit more of a project-wide discussion than just xorg, but feel free to keep both in Cc. ]] Frans de Boer | Also, if it turns out to be a validated claim Adam made, accept it as | is and continue. Hopefully Adam has learned his lesson. But also | Freedesktop.org should have it's act together. Do check the access | rights and allow only trusted persons root access. Hopefully Adam was | NOT one of them they trusted explicitly and he has only access due to | historical reasons. People are people and sometimes do stupid things and things the reret. What Adam did was stupid and wrong, but it was also out of character for him. There was no reason whatsoever not to let him have root access before. ]] Dave Airlie | Yes, and not sure about the rest. Freedesktop isn't some sort of paid | organisation here, you have a group of volunteers running some | machines tied together with a lot of bailing twine. It only recently | through the good graces of Collabora that fd.o got some paid | administration time directed at it at all (Tollef). Like we could | migrate all the stuff to machines that X.org control but we'd end up | with the same problems + another set of problems. The main problem fdo is facing on the admin side those days is a lack of resources more than anything, and we don't want to trust completely random people to have root. Those we trust enough to have root are usually quite busy already. That said, I'm hoping to make the admin burden slightly lighter by doing two things. Please note that these are my ideas, they're not set in stone and while I think I have the consensus of the rest of the active fdo admins, nothing has formally been decided yet. - Kick out inactive admins and bring new ones on board. I'm not going to take away root from anybody who uses it and needs it, but for people who just have root for historical reasons and haven't done anything with it for months or years, I'd like to remove it. - Split account administration and root. We already use ud-ldap and we do have one account admin that's not root, so this is already feasible, and if some of the existing root users basically only do account management, I'd like to move those people off root and just get them account management rights. Over time, I'm slightly hoping we can split this even further out so trusted people can do git repository management for their own project without having to involve an admin for the easy regular tasks. If anybody wants to be involved in this (and over time, more involved in fdo admin work), I'd love to get help, particularly with moving towards some of the ideas in http://err.no/personal/blog/tech/2010-03-27-15-55_why_you_should_publish_your_infrastructure | Adam still does a lot of a/c maintenance for X.org and other projects, | these will now be have to be done by part-time admin which means even | longer delays on new a/cs. There is a major fd.o overhaul in the works | and maybe Tollef can provide some insight into it when he has time. Some of the items are listed above, in addition we're in the middle of acquiring new machines which should allow things like better spam filtering and generally better performance. Regards, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On 24/11/10 18:00 , Eirik Byrkjeflot Anonsen wrote: 1. What systems do we have in place that enables us to detect when a trusted admin acts in bad judgement or with evil intent? What is the probability that such actions will be noticed? Can we do anything to increase this probability? 2. What systems do we have in place that enables us to detect evil commits once they actually make their way into the repository? What is the probability that they will be noticed? Can we do anything to increase this probability? git is designed to not be screwed with easily, so the chance of bad commits being detected is quite high. for well-maintained repositories, we tend to notice quite quickly. I'm sure keith would notice whenever he can't push to xserver because no-one else is supposed to commit to it. The same is true for other repositories, so the best safeguard here is active maintainership. 3. When incidents are detected (break-ins, abuse of admin rights, evil commits, what have you...), what processes are in place to deal with this? What information is published, and in which fora, and when? What investigations are performed, and what actions are carried out as a result of such investigations? Where are these processes documented? I think in this particular case, a large number of insiders likely assumed a prank before it was called out. There is a history of disagreements between some of the X.Org developers and Luc and the radeonhd project, so having this happen to this particular repository is not that surprising after all (Note, this does not excuse the action, merely explain some of the reactions). I'd have been more worried if that had happened to e.g. the xserver repo. I don't think we have any official processes right now and certainly none documented. Sending emails to the list to raise awareness is a good approach IMO and Luc's first few emails were informative. The later part of the thread somewhat lost usefulness when it descended to the usual fights, conspiracy theories and name-calling. Staying on-topic should be an essential part of any official process... Cheers, Peter ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
As far as I can see, all you've managed to do is to create a lot of noise about what is, in itself, a fairly minor incident. Yes, it is serious that a trusted admin abuses his powers. However, that happens and will continue to happen. Humans are like that. We often show a remarkable lack of good judgement. And in this case, I think the pattern matches well with bad judgement rather than evil intent. What I'm far more worried about are the admins (and non-admins) who have made changes with evil intent that we have not noticed. I am not particularly worried about this incident, as anyone with true evil intent would not have advertised their actions like this. However, that doesn't mean that no-one have acted with evil intent, and been successful at it. There are two things that I feel are important about this: 1. What systems do we have in place that enables us to detect when a trusted admin acts in bad judgement or with evil intent? What is the probability that such actions will be noticed? Can we do anything to increase this probability? wrt to the git repos, git is designed to be good at detecting tampering, esp history tampering, i.e. git won't allow a push to a repo that hasn't got matching history. Someone adding a branch or pushing a branch with a file, should be noticed by active project participants. We also sign all the release emails with md5/sha1 sums for the tarballs for later verification, which was instituted after the last real security incident. 2. What systems do we have in place that enables us to detect evil commits once they actually make their way into the repository? What is the probability that they will be noticed? Can we do anything to increase this probability? Again git + humans using the repos should catch most things. 3. When incidents are detected (break-ins, abuse of admin rights, evil commits, what have you...), what processes are in place to deal with this? What information is published, and in which fora, and when? What investigations are performed, and what actions are carried out as a result of such investigations? Where are these processes documented? We could probably better define this sort of things, again fd.o has been a pretty haphazard setup based on volunteer time and effort, but again hopefully we can get some escalation procedures in place that are less public. Dave. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 06:33:19PM +1000, Peter Hutterer wrote: On 24/11/10 18:00 , Eirik Byrkjeflot Anonsen wrote: 1. What systems do we have in place that enables us to detect when a trusted admin acts in bad judgement or with evil intent? What is the probability that such actions will be noticed? Can we do anything to increase this probability? 2. What systems do we have in place that enables us to detect evil commits once they actually make their way into the repository? What is the probability that they will be noticed? Can we do anything to increase this probability? git is designed to not be screwed with easily, so the chance of bad commits being detected is quite high. for well-maintained repositories, we tend to notice quite quickly. I'm sure keith would notice whenever he can't push to xserver because no-one else is supposed to commit to it. The same is true for other repositories, so the best safeguard here is active maintainership. 3. When incidents are detected (break-ins, abuse of admin rights, evil commits, what have you...), what processes are in place to deal with this? What information is published, and in which fora, and when? What investigations are performed, and what actions are carried out as a result of such investigations? Where are these processes documented? I think in this particular case, a large number of insiders likely assumed a prank before it was called out. There is a history of disagreements between some of the X.Org developers and Luc and the radeonhd project, so having this happen to this particular repository is not that surprising after all (Note, this does not excuse the action, merely explain some of the reactions). I'd have been more worried if that had happened to e.g. the xserver repo. I don't think we have any official processes right now and certainly none documented. Sending emails to the list to raise awareness is a good approach IMO and Luc's first few emails were informative. The later part of the thread somewhat lost usefulness when it descended to the usual fights, conspiracy theories and name-calling. Staying on-topic should be an essential part of any official process... Conspiracy theories? Come on man, Daniel Stone and Adam Jackson, known, over the years, for liking radeonhd, sit down, after most likely some alcohol and maybe even other substances, and pull this. According to irc, Adam, who had root access himself, used Daniel his account to do this, in a targetted and efficient manner. If i remember the timestamps right, the update script was moved back within 5 minutes of the commit. Then 3 weeks ensued where nothing happened, where Adam and Daniel could've fixed their spur of the moment mistake, without anyone noticing, but clearly, they did not come back on their steps. It was a completely unnecessary event, and it only serves to show how certain projects, not suited to a certain group are being treated. And two former X.org board, two people who joined the X.org fork from xfree86 very early on, but who, as far as i can tell, were little or not involved with xfree86 at the time, and who got these access rights from very early on too, abused their power to trash existing but unmaintained free software project. Now, of course everyone ties this in with my history with X.org, from unichrome, to modesetting, to radeonhd, to fosdem, to graphics driver stacks. But you also might want to consider that i was at a hardware vendor two weeks ago, and i had to listen to their main engineer calling contributing directly to X a waste of time, and that they rather fix the versions their customers ship, and hand the patches to their customers directly, never bothering to submit to X directly. They rather implement stuff, hand it to their customers, as they know that their code will not be accepted, and that it will be reinvented a few weeks or months later. Then they go and use the reimplementation afterwards, and save a lot of manpower and frustration in the process. Despite all my personal feelings about free software and the likes, I had absolutely nothing to counter, anything i could even try to throw up against that would either be completely irrelevant and meek, or a lie. _This_ is how the world works with an X.org that works like that. Someone just mailed it i find it surprising that the person exposing the evildoing is getting more flack than the person(s) doing it. Luc Verhaegen ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Luc, I completely agree with you. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 11:03 AM, Tim Beaulen tbsc...@gmail.com wrote: Luc, I completely agree with you. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: madman2...@gmail.com If Adam indeed did this, and did not undo it afterwards, then he is having at least some (mental) issues. He did the right thing by disabling his admin account, because he obviously has some things to sort out. While the action itself is minor, the causes for doing it probably are not. Just encourage Adam to work out his problems. Trust can be rebuilt, it just takes (a lot of) time and an effort on his side to sort out his life. Maarten. -- Far away from the primal instinct, the song seems to fade away, the river get wider between your thoughts and the things we do and say. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On 24/11/10 19:38 , Luc Verhaegen wrote: On Wed, Nov 24, 2010 at 06:33:19PM +1000, Peter Hutterer wrote: On 24/11/10 18:00 , Eirik Byrkjeflot Anonsen wrote: 1. What systems do we have in place that enables us to detect when a trusted admin acts in bad judgement or with evil intent? What is the probability that such actions will be noticed? Can we do anything to increase this probability? 2. What systems do we have in place that enables us to detect evil commits once they actually make their way into the repository? What is the probability that they will be noticed? Can we do anything to increase this probability? git is designed to not be screwed with easily, so the chance of bad commits being detected is quite high. for well-maintained repositories, we tend to notice quite quickly. I'm sure keith would notice whenever he can't push to xserver because no-one else is supposed to commit to it. The same is true for other repositories, so the best safeguard here is active maintainership. 3. When incidents are detected (break-ins, abuse of admin rights, evil commits, what have you...), what processes are in place to deal with this? What information is published, and in which fora, and when? What investigations are performed, and what actions are carried out as a result of such investigations? Where are these processes documented? I think in this particular case, a large number of insiders likely assumed a prank before it was called out. There is a history of disagreements between some of the X.Org developers and Luc and the radeonhd project, so having this happen to this particular repository is not that surprising after all (Note, this does not excuse the action, merely explain some of the reactions). I'd have been more worried if that had happened to e.g. the xserver repo. I don't think we have any official processes right now and certainly none documented. Sending emails to the list to raise awareness is a good approach IMO and Luc's first few emails were informative. The later part of the thread somewhat lost usefulness when it descended to the usual fights, conspiracy theories and name-calling. Staying on-topic should be an essential part of any official process... Conspiracy theories? I did not imply that you were the one starting with the conspiracy theories, and I think strictly speaking there was no name-calling in that thread either so I have overshot the target and I apologise. Correct the above to the usual fights, that at least is obvious. Anyway, the best approach to solving issues like this is to go to the list and say hey guys, this isn't funny, it raises trust issues when that happens. Which is exactly what your first email did, and the first subsequent ones. The thread then went haywire quickly, initiated by a number of people, and that is unnecessary. At this point we have found the guilty parties, we have a publicly expressed regret, the consequences of removed root access, and we should move on to the more on-topic questions Eirik raised. If you want to raise the issue of how the radeonhd project was treated or the methods of said hardware vendor, I suggest starting a new thread because I don't think this one will go anywhere useful at this point. Cheers, Peter Come on man, Daniel Stone and Adam Jackson, known, over the years, for liking radeonhd, sit down, after most likely some alcohol and maybe even other substances, and pull this. According to irc, Adam, who had root access himself, used Daniel his account to do this, in a targetted and efficient manner. If i remember the timestamps right, the update script was moved back within 5 minutes of the commit. Then 3 weeks ensued where nothing happened, where Adam and Daniel could've fixed their spur of the moment mistake, without anyone noticing, but clearly, they did not come back on their steps. It was a completely unnecessary event, and it only serves to show how certain projects, not suited to a certain group are being treated. And two former X.org board, two people who joined the X.org fork from xfree86 very early on, but who, as far as i can tell, were little or not involved with xfree86 at the time, and who got these access rights from very early on too, abused their power to trash existing but unmaintained free software project. Now, of course everyone ties this in with my history with X.org, from unichrome, to modesetting, to radeonhd, to fosdem, to graphics driver stacks. But you also might want to consider that i was at a hardware vendor two weeks ago, and i had to listen to their main engineer calling contributing directly to X a waste of time, and that they rather fix the versions their customers ship, and hand the patches to their customers directly, never bothering to submit to X directly. They rather implement stuff, hand it to their customers, as they know that their code will not be accepted, and that it will be
Re: Respository vandalism by r...@...fd.o
See, this was exactly the problem here. It _was_ a freedesktop admin. And it was pretty clear that it was that from the onset too. Mailing fd.o admins, even if i could've dug up an email address in the split second that i wrote the email (heck, i even mistyped repository), was not the right course of action. So you mailed 2 mailing lists consisting of 2-300 people who could do nothing about it? He ensured the problem was noticed, and that it got out to people who depend upon the repository being secure and properly managed. In this case that turns out to have ensured the offender admitted to something silly but if it had been a more serious attack it would also have ensured people relying on the repository knew what was going on. Security through bad mouthing the messenger for raising the issue is normally reserved for government ministers, IMHO it has no place here. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Hi, I've been mostly offline whilst moving, so have only read this through web archives. As mentioned on IRC earlier, it was my account used. My apologies: as ajax said, it's indefensible, and am not really sure what else to say. I've suspended my root accounts as well. That being said: On Wed, Nov 24, 2010 at 10:38:19AM +0100, Luc Verhaegen wrote: maybe even other substances As explained to Luc earlier: no, absolutely not. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 11:18:20AM +, Alan Cox wrote: He ensured the problem was noticed, and that it got out to people who depend upon the repository being secure and properly managed. In this case that turns out to have ensured the offender admitted to something silly but if it had been a more serious attack it would also have ensured people relying on the repository knew what was going on. Security through bad mouthing the messenger for raising the issue is normally reserved for government ministers, IMHO it has no place here. With all things said and done, it looks like mailing just fd.o admins was not the best of options here. Two of the fd.o admins were responsible for this :( Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 08:27:12PM +1000, Peter Hutterer wrote: On 24/11/10 19:38 , Luc Verhaegen wrote: Conspiracy theories? I did not imply that you were the one starting with the conspiracy theories, and I think strictly speaking there was no name-calling in that thread either so I have overshot the target and I apologise. Correct the above to the usual fights, that at least is obvious. Anyway, the best approach to solving issues like this is to go to the list and say hey guys, this isn't funny, it raises trust issues when that happens. Which is exactly what your first email did, and the first subsequent ones. The thread then went haywire quickly, initiated by a number of people, and that is unnecessary. At this point we have found the guilty parties, we have a publicly expressed regret, the consequences of removed root access, and we should move on to the more on-topic questions Eirik raised. If you want to raise the issue of how the radeonhd project was treated or the methods of said hardware vendor, I suggest starting a new thread because I don't think this one will go anywhere useful at this point. Cheers, Peter It is highly related though, the stunt pulled here just underlines the situation the project is in for anyone not belonging to the right crowd, and that directly affects the future of X.org. Heck, part of the reason why so many go crazy over any X replacement project can be attributed to this. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Eirik Byrkjeflot Anonsen wrote: 2. What systems do we have in place that enables us to detect evil commits once they actually make their way into the repository? What is the probability that they will be noticed? Can we do anything to increase this probability? Distributed version control. Developers should notice when attempting to push to git if head had changed unexpectedly. I'm sure google can find you some background reading about how this works in git. 3. When incidents are detected (break-ins, abuse of admin rights, evil commits, what have you...), what processes are in place to deal with this? What information is published, and in which fora, and when? What investigations are performed, and what actions are carried out as a result of such investigations? Where are these processes documented? Those would be questions for our hosting provider, freedesktop.org. X.Org does not control the freedesktop.org machines. There is a large overlap in the groups, but we do not have the authority to speak for them. -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 6:58 AM, Luc Verhaegen l...@skynet.be wrote: On Wed, Nov 24, 2010 at 08:27:12PM +1000, Peter Hutterer wrote: On 24/11/10 19:38 , Luc Verhaegen wrote: Conspiracy theories? I did not imply that you were the one starting with the conspiracy theories, and I think strictly speaking there was no name-calling in that thread either so I have overshot the target and I apologise. Correct the above to the usual fights, that at least is obvious. Anyway, the best approach to solving issues like this is to go to the list and say hey guys, this isn't funny, it raises trust issues when that happens. Which is exactly what your first email did, and the first subsequent ones. The thread then went haywire quickly, initiated by a number of people, and that is unnecessary. At this point we have found the guilty parties, we have a publicly expressed regret, the consequences of removed root access, and we should move on to the more on-topic questions Eirik raised. If you want to raise the issue of how the radeonhd project was treated or the methods of said hardware vendor, I suggest starting a new thread because I don't think this one will go anywhere useful at this point. Cheers, Peter It is highly related though, the stunt pulled here just underlines the situation the project is in for anyone not belonging to the right crowd, and that directly affects the future of X.org. Heck, part of the reason why so many go crazy over any X replacement project can be attributed to this. Luc Verhaegen. From the Phoronix forums, you say Yeah, this was most definitely not a simple prank, as some people like to claim. What are you suggesting it was? ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 11:08:18AM -0500, Matt Turner wrote: From the Phoronix forums, you say Yeah, this was most definitely not a simple prank, as some people like to claim. What are you suggesting it was? Do you really find this a simple prank? Or do you find this a flagrant abuse of power and a severe breach of trust that damages the whole of fd.o and x.org? Why do i find myself having to explain this still, i would've expected this was clear by now. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 5:12 PM, Luc Verhaegen l...@skynet.be wrote: On Wed, Nov 24, 2010 at 11:08:18AM -0500, Matt Turner wrote: From the Phoronix forums, you say Yeah, this was most definitely not a simple prank, as some people like to claim. What are you suggesting it was? Do you really find this a simple prank? Or do you find this a flagrant abuse of power and a severe breach of trust that damages the whole of fd.o and x.org? Why do i find myself having to explain this still, i would've expected this was clear by now. Let me get straight to the point: You pointed out the issue, we found out who did it, they apologized for doing so and revoked their root access. So what other actions do you want to be taken now? So I agree with Peter here, the thread served its purpose, lets move on. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
drago01 wrote: You pointed out the issue, we found out who did it, they apologized for doing so and revoked their root access. So what other actions do you want to be taken now? If I may step in I suggest investing some time and developing some sort of (formal) security concept. It's not that much time and it would boost your security ten fold. Pranks from trusted admins would perhaps not be avoided but other latent issues will. Michal Svoboda ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Nov 23, 10 22:56:52 +, Alan Cox wrote: It's on a separate branch, not master. (Doesn't mean it's right, just that it's not actually going to cripple anything or waste time for anyone who doesn't ask for it.) And how many other un-noticed commits did this person make ? Until you know that you have to assume a complete compromise. Luckily, git makes this difficult. At least as long as git histories are repeatedly checked (which they are for the main trees), a git fsck should find any inconsistencies, and you should get broken fast-forwards. Not that this makes the fraud any better. Matthias -- Matthias Hopf mh...@suse.de ____ __ Maxfeldstr. 5 / 90409 Nuernberg (_ | | (_ |__ m...@mshopf.de Phone +49-911-74053-715 __) |_| __) |__ R D www.mshopf.de ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
So, wearing my X11R7.6 Release Manager hat, I am willing to accept that the git repositories are not known to be compromised by an outside actor, and that we can go forward with development releases as normal. I had been quietly holding off on doing any more releases until the issue was investigated, but am now satisfied that we know with reasonable certainty how the spigot branch jerkcity commit came to be in the radeonhd git repo. While Adam Daniel's judgment in making those was obviously unsound, I still feel I can rely on their integrity, so if they say this was an isolated incident and that no other repos were illicitly modified, I believe them. (But then, I also have faith in git's sha1 hashes of commits to reinforce this and help us spot any unauthorized commits others may attempt to make, as discussed elsewhere in this thread.) Of course, when making releases I do look over the commits included, in order to judge what sort of version number increase is warranted by the changes included (i.e. version += 0.0.1 for configure script updates janitorial cleanups, version += 0.1 for new features) and to be able to summarize the changes in the release announcements, so would hopefully spot any out-of-place commits and hope that other developers maintainers are doing the same. (Before I get any more e-mail or IRC chatter berating me for downplaying the seriousness of this issue, I am only addressing in this message my personal opinion of whether we can go forward with using the git repos on freedesktop.org as normal, not discussing the original action or its repercussions outside the ability of the rest of us to get back to work.) -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
companies contributing to X [was: Re: Respository vandalism by r...@...fd.o]
But you also might want to consider that i was at a hardware vendor two weeks ago, and i had to listen to their main engineer calling contributing directly to X a waste of time, and that they rather fix the versions their customers ship, and hand the patches to their customers directly, never bothering to submit to X directly. They rather implement stuff, hand it to their customers, as they know that their code will not be accepted, and that it will be reinvented a few weeks or months later. Then they go and use the reimplementation afterwards, and save a lot of manpower and frustration in the process. Despite all my personal feelings about free software and the likes, I had absolutely nothing to counter, anything i could even try to throw up against that would either be completely irrelevant and meek, or a lie. This I'm curious about. Are there more companies that feel it's too-hard/not-worth-while for companies to contribute stuff to Xorg? I know the linux kernel has this issue, but is X's contribution difficulty larger? I ask out of complete curiosity, not trying to stir any pot. Matt ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: companies contributing to X [was: Re: Respository vandalism by r...@...fd.o]
Matt, I think what you are asking is: is the Microsoft FUD working? The answer is: yes. Should we roll over and play dead? No, not me. Freedom, as in free range, Pat --- On Wed, Nov 24, 2010 at 3:56 PM, Matt Dew m...@osource.org wrote: This I'm curious about. Are there more companies that feel it's too-hard/not-worth-while for companies to contribute stuff to Xorg? ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Respository vandalism by r...@...fd.o
Radeonhd repo: http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot author SPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) committer SPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) commit 231683e2f111bb064125f64f2da797d744cde7fa (patch) ... PERHAPS BONGHITS WILL FIX MY MAKEFILE Signed-off-by: SPIGOT r...@jerkcity.com Very funny, but the person responsible forgot that maybe, this puts the whole trust in anything on fd.o at risk. A look at the repo itself shows: ...xf86-video-radeonhd/objects$ ls -al 23/1683e2f111bb064125f64f2da797d744cde7fa -r--r--r-- 1 root xorg 205 2010-11-01 21:22 23/1683e2f111bb064125f64f2da797d744cde7fa This while others clearly show: ...xf86-video-radeonhd/objects$ ls -al 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6 -r--r--r-- 1 mhopf xorg 596 2010-05-12 07:34 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6 So, who has root access to annarchy or any other of the servers, and who thought this would be funny, and who deserves to lose his access right here, right now? Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, Nov 23, 2010 at 01:32:30PM +0100, Luc Verhaegen wrote: Radeonhd repo: http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot authorSPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) committer SPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) commit231683e2f111bb064125f64f2da797d744cde7fa (patch) ... PERHAPS BONGHITS WILL FIX MY MAKEFILE Signed-off-by: SPIGOT r...@jerkcity.com Very funny, but the person responsible forgot that maybe, this puts the whole trust in anything on fd.o at risk. A look at the repo itself shows: ...xf86-video-radeonhd/objects$ ls -al 23/1683e2f111bb064125f64f2da797d744cde7fa -r--r--r-- 1 root xorg 205 2010-11-01 21:22 23/1683e2f111bb064125f64f2da797d744cde7fa This while others clearly show: ...xf86-video-radeonhd/objects$ ls -al 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6 -r--r--r-- 1 mhopf xorg 596 2010-05-12 07:34 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6 So, who has root access to annarchy or any other of the servers, and who thought this would be funny, and who deserves to lose his access right here, right now? Luc Verhaegen. It is clear that this is not a normal security breach, as this commit is fully in line with the naming scheme used by fd.o. Plus, given the history of radeonhd, combined with who i think have root access, makes it seem quite likely that this was simply one of the people with regular root access. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, Nov 23, 2010 at 01:47:19PM +0100, Luc Verhaegen wrote: On Tue, Nov 23, 2010 at 01:32:30PM +0100, Luc Verhaegen wrote: Radeonhd repo: http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot author SPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) committer SPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) commit 231683e2f111bb064125f64f2da797d744cde7fa (patch) ... PERHAPS BONGHITS WILL FIX MY MAKEFILE Signed-off-by: SPIGOT r...@jerkcity.com Very funny, but the person responsible forgot that maybe, this puts the whole trust in anything on fd.o at risk. A look at the repo itself shows: ...xf86-video-radeonhd/objects$ ls -al 23/1683e2f111bb064125f64f2da797d744cde7fa -r--r--r-- 1 root xorg 205 2010-11-01 21:22 23/1683e2f111bb064125f64f2da797d744cde7fa This while others clearly show: ...xf86-video-radeonhd/objects$ ls -al 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6 -r--r--r-- 1 mhopf xorg 596 2010-05-12 07:34 00/8cf170fe2f7d7c52bb691f77d2199a2e21f9d6 So, who has root access to annarchy or any other of the servers, and who thought this would be funny, and who deserves to lose his access right here, right now? Luc Verhaegen. It is clear that this is not a normal security breach, as this commit is fully in line with the naming scheme used by fd.o. Plus, given the history of radeonhd, combined with who i think have root access, makes it seem quite likely that this was simply one of the people with regular root access. Luc Verhaegen. Also, the hooks/update script was not run, as that would've sent an email to the radeonhd mailing list, the update hook was restored afterwards it seems: ...xf86-video-radeonhd/hooks$ ls -al total 36 drwxrwsr-x 2 keithp xorg 4096 2010-11-04 15:01 . drwxrwsr-x 8 eich xorg 4096 2009-12-09 06:09 .. -rw-rw-r-- 1 keithp xorg 426 2007-09-17 11:09 applypatch-msg -rw-rw-r-- 1 keithp xorg 528 2007-09-17 11:09 commit-msg -rw-rw-r-- 1 keithp xorg 152 2007-09-17 11:09 post-commit -rwxrwxr-x 1 keithp xorg 207 2007-09-17 11:09 post-update -rw-rw-r-- 1 keithp xorg 373 2007-09-17 11:09 pre-applypatch -rw-rw-r-- 1 keithp xorg 1616 2007-09-17 11:09 pre-commit -rwxrwxr-x 1 keithp xorg 3755 2010-11-01 21:26 update This is not random at all. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, 2010-11-23 at 13:57 +0100, Luc Verhaegen wrote: It is clear that this is not a normal security breach, as this commit is fully in line with the naming scheme used by fd.o. Plus, given the history of radeonhd, combined with who i think have root access, makes it seem quite likely that this was simply one of the people with regular root access. I had noticed this appalling commit, looked around and came to the same conclusion. I had also received an e-mail alerting me about this commit. This is not a good use of our time. The commit should actually be removed from the repository, or at least reverted, to save other people from wasting time on this. Their wiki states that radeonhd is deprecated, which is fine, but that does not mean it should be crippled. That would be the honorable thing to do for the author of this commit. I make mistakes, people tell me nicely, I fix them and life goes on. Gaetan signature.asc Description: This is a digitally signed message part ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, Nov 23, 2010 at 10:25:33AM -0500, Gaetan Nadon wrote: On Tue, 2010-11-23 at 13:57 +0100, Luc Verhaegen wrote: It is clear that this is not a normal security breach, as this commit is fully in line with the naming scheme used by fd.o. Plus, given the history of radeonhd, combined with who i think have root access, makes it seem quite likely that this was simply one of the people with regular root access. I had noticed this appalling commit, looked around and came to the same conclusion. I had also received an e-mail alerting me about this commit. This is not a good use of our time. The commit should actually be removed from the repository, or at least reverted, to save other people from wasting time on this. Their wiki states that radeonhd is deprecated, which is fine, but that does not mean it should be crippled. That would be the honorable thing to do for the author of this commit. I make mistakes, people tell me nicely, I fix them and life goes on. Gaetan Still, would you really want to trust your code to freedesktop.org after this, knowing that there's someone with root access pulling stunts like this? Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, Nov 23, 2010 at 4:27 PM, Luc Verhaegen l...@skynet.be wrote: On Tue, Nov 23, 2010 at 10:25:33AM -0500, Gaetan Nadon wrote: On Tue, 2010-11-23 at 13:57 +0100, Luc Verhaegen wrote: It is clear that this is not a normal security breach, as this commit is fully in line with the naming scheme used by fd.o. Plus, given the history of radeonhd, combined with who i think have root access, makes it seem quite likely that this was simply one of the people with regular root access. I had noticed this appalling commit, looked around and came to the same conclusion. I had also received an e-mail alerting me about this commit. This is not a good use of our time. The commit should actually be removed from the repository, or at least reverted, to save other people from wasting time on this. Their wiki states that radeonhd is deprecated, which is fine, but that does not mean it should be crippled. That would be the honorable thing to do for the author of this commit. I make mistakes, people tell me nicely, I fix them and life goes on. Gaetan Still, would you really want to trust your code to freedesktop.org after this, knowing that there's someone with root access pulling stunts like this? Luc Verhaegen. ___ xorg-de...@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel It's obvious the person must be found, and regardless of whether the person is found, change the root password and only tell those who are known to be trustworthy still. -- Far away from the primal instinct, the song seems to fade away, the river get wider between your thoughts and the things we do and say. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Gaetan Nadon wrote: On Tue, 2010-11-23 at 13:57 +0100, Luc Verhaegen wrote: It is clear that this is not a normal security breach, as this commit is fully in line with the naming scheme used by fd.o. Plus, given the history of radeonhd, combined with who i think have root access, makes it seem quite likely that this was simply one of the people with regular root access. I had noticed this appalling commit, looked around and came to the same conclusion. I had also received an e-mail alerting me about this commit. This is not a good use of our time. The commit should actually be removed from the repository, or at least reverted, to save other people from wasting time on this. Their wiki states that radeonhd is deprecated, which is fine, but that does not mean it should be crippled. It's on a separate branch, not master. (Doesn't mean it's right, just that it's not actually going to cripple anything or waste time for anyone who doesn't ask for it.) The last update on the radeonhd master branch is 6 months ago. -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, Nov 23, 2010 at 08:32:10AM -0800, Alan Coopersmith wrote: Gaetan Nadon wrote: On Tue, 2010-11-23 at 13:57 +0100, Luc Verhaegen wrote: It is clear that this is not a normal security breach, as this commit is fully in line with the naming scheme used by fd.o. Plus, given the history of radeonhd, combined with who i think have root access, makes it seem quite likely that this was simply one of the people with regular root access. I had noticed this appalling commit, looked around and came to the same conclusion. I had also received an e-mail alerting me about this commit. This is not a good use of our time. The commit should actually be removed from the repository, or at least reverted, to save other people from wasting time on this. Their wiki states that radeonhd is deprecated, which is fine, but that does not mean it should be crippled. It's on a separate branch, not master. (Doesn't mean it's right, just that it's not actually going to cripple anything or waste time for anyone who doesn't ask for it.) The last update on the radeonhd master branch is 6 months ago. Sure, it's a separate branch. Sure, you can easily remove the branch. But the base fact is: someone took advantage of his fd.o admin rights to do this. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, Nov 23, 2010 at 08:32:10AM -0800, Alan Coopersmith wrote: Gaetan Nadon wrote: On Tue, 2010-11-23 at 13:57 +0100, Luc Verhaegen wrote: It is clear that this is not a normal security breach, as this commit is fully in line with the naming scheme used by fd.o. Plus, given the history of radeonhd, combined with who i think have root access, makes it seem quite likely that this was simply one of the people with regular root access. I had noticed this appalling commit, looked around and came to the same conclusion. I had also received an e-mail alerting me about this commit. This is not a good use of our time. The commit should actually be removed from the repository, or at least reverted, to save other people from wasting time on this. Their wiki states that radeonhd is deprecated, which is fine, but that does not mean it should be crippled. It's on a separate branch, not master. (Doesn't mean it's right, just that it's not actually going to cripple anything or waste time for anyone who doesn't ask for it.) The last update on the radeonhd master branch is 6 months ago. Alan, It strikes me that this should be downplayed. Please bear in mind that this is something which could happen again at any time to any project and branch. Either there is a security breech somewhere or someone with admin priviledges has lost his marbles and clearly went over the top. fd.o doesn't need either. Regards, Egbert. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
LV == Luc Verhaegen l...@skynet.be writes: LV So, who has root access to annarchy or any other of the servers, and who LV thought this would be funny, and who deserves to lose his access right LV here, right now? s/annarchy/kemper/, yes? Annarchy is supposed to have a read-only nfs mount of the git repos. Kemper should be checked for signs of exploitation. As for the commit posting script, and given Alan's post, are you sure that if will post commits not branches other than master? Or that the readeonhd list will accept a post from r...@kemper.fd.o? It could have bounced or ended up in a presumed-spam queue. -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6 ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
It's on a separate branch, not master. (Doesn't mean it's right, just that it's not actually going to cripple anything or waste time for anyone who doesn't ask for it.) And how many other un-noticed commits did this person make ? Until you know that you have to assume a complete compromise. Alan ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On 11/23/2010 11:56 PM, Alan Cox wrote: It's on a separate branch, not master. (Doesn't mean it's right, just that it's not actually going to cripple anything or waste time for anyone who doesn't ask for it.) And how many other un-noticed commits did this person make ? Until you know that you have to assume a complete compromise. Alan ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: fr...@fransdb.nl Just like to inquire whether the observed behavior was a real security breach - someone introducing (maybe over time) a backdoor or the like - or just sloppy behavior. In other words, can we still trust the xorg repositories or are they compromised in some way? People and companies depend on xorg functionality without backdoors or the like. At the first sign of xorg repositories being compromised, I have to pull the plug on systems relying on xorg functionality. Please make sure what really happened and then inform the community. this thread only give rise to fears without - so it seems - verified facts. Frans. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, Nov 23, 2010 at 10:56:52PM +, Alan Cox wrote: It's on a separate branch, not master. (Doesn't mean it's right, just that it's not actually going to cripple anything or waste time for anyone who doesn't ask for it.) And how many other un-noticed commits did this person make ? Until you know that you have to assume a complete compromise. Alan, right! Even if this could be considered a less harmful thing that only happened in a newly created branch it'd be easy for this person to play lot more evil tricks somewhere else. What would you suggest should be done next? Checking logs for traces of this? Those which could reveal this information might be gone already. Cheers, Egbert. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Luc Verhaegen wrote: Still, would you really want to trust your code to freedesktop.org after this, knowing that there's someone with root access pulling stunts like this? Feel free to keep your code somewhere else - oh wait, you already do. -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Alan Cox wrote: It's on a separate branch, not master. (Doesn't mean it's right, just that it's not actually going to cripple anything or waste time for anyone who doesn't ask for it.) And how many other un-noticed commits did this person make ? Until you know that you have to assume a complete compromise. Understood, but you'll also understand that's something we have to ask the freedesktop.org admins to investigate. Like most X.Org developers, I can't even login to the server hosting git other than with the restricted shell used for git pushes. -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Frans de Boer wrote: Just like to inquire whether the observed behavior was a real security breach - someone introducing (maybe over time) a backdoor or the like - or just sloppy behavior. In other words, can we still trust the xorg repositories or are they compromised in some way? People and companies depend on xorg functionality without backdoors or the like. At the first sign of xorg repositories being compromised, I have to pull the plug on systems relying on xorg functionality. Please make sure what really happened and then inform the community. this thread only give rise to fears without - so it seems - verified facts. Yes, the original poster's announcement to the list in general and directly to phoronix without notifying the developers or admins first seems to have been designed to do exactly that - raise fears without facts. -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
What would you suggest should be done next? Checking logs for traces of this? Those which could reveal this information might be gone already. Looking for anything which is in the tree but not in or not matching the mail archive. Sounds like a job for a perl nutter 8) And chasing down who did it - because if its someone who did something silly while drunk one night they could save a whole lot of harm by just owning up and apologising. Alan ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Frans de Boer wrote: On 11/24/2010 12:40 AM, Alan Coopersmith wrote: Frans de Boer wrote: Just like to inquire whether the observed behavior was a real security breach - someone introducing (maybe over time) a backdoor or the like - or just sloppy behavior. In other words, can we still trust the xorg repositories or are they compromised in some way? People and companies depend on xorg functionality without backdoors or the like. At the first sign of xorg repositories being compromised, I have to pull the plug on systems relying on xorg functionality. Please make sure what really happened and then inform the community. this thread only give rise to fears without - so it seems - verified facts. Yes, the original poster's announcement to the list in general and directly to phoronix without notifying the developers or admins first seems to have been designed to do exactly that - raise fears without facts. Hm, are you willing to put both your hands in the fire for this claim? I just note that you use the word seems, which indicates to me that you are not sure either. My only claim was about the method in which the issue was announced to drum up maximum attention before investigation could be held. Assumptions might bring only more fear and/or uncertainly about the integrity of the xorg code. I have already stated that we need the freedesktop.org admins to investigate. I am not going to hinder their investigation or waste anyone's time second guessing them in public. -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On 11/24/2010 01:04 AM, Alan Coopersmith wrote: Frans de Boer wrote: On 11/24/2010 12:40 AM, Alan Coopersmith wrote: Frans de Boer wrote: Just like to inquire whether the observed behavior was a real security breach - someone introducing (maybe over time) a backdoor or the like - or just sloppy behavior. In other words, can we still trust the xorg repositories or are they compromised in some way? People and companies depend on xorg functionality without backdoors or the like. At the first sign of xorg repositories being compromised, I have to pull the plug on systems relying on xorg functionality. Please make sure what really happened and then inform the community. this thread only give rise to fears without - so it seems - verified facts. Yes, the original poster's announcement to the list in general and directly to phoronix without notifying the developers or admins first seems to have been designed to do exactly that - raise fears without facts. Hm, are you willing to put both your hands in the fire for this claim? I just note that you use the word seems, which indicates to me that you are not sure either. My only claim was about the method in which the issue was announced to drum up maximum attention before investigation could be held. Assumptions might bring only more fear and/or uncertainly about the integrity of the xorg code. I have already stated that we need the freedesktop.org admins to investigate. I am not going to hinder their investigation or waste anyone's time second guessing them in public. Sorry, my email crossed yours I noticed. Please don't feel attacked or the like. I just sit still and await any further 'real' news for now. Frans. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, 2010-11-23 at 13:32 +0100, Luc Verhaegen wrote: Radeonhd repo: http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot authorSPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) committer SPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) commit231683e2f111bb064125f64f2da797d744cde7fa (patch) ... PERHAPS BONGHITS WILL FIX MY MAKEFILE Signed-off-by: SPIGOT r...@jerkcity.com Very funny, but the person responsible forgot that maybe, this puts the whole trust in anything on fd.o at risk. That was me. Serious lapse in judgement on my part. I pretty much did it to get a rise out of Luc; looks like I succeeded. But it's indefensible, and I apologize. I'm kind of in a bad place emotionally and I should know better than to act that out in public. I've disabled my root accounts on the fd.o machines. I don't trust me with them anymore either. - ajax signature.asc Description: This is a digitally signed message part ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On 11/24/2010 01:24 AM, Adam Jackson wrote: On Tue, 2010-11-23 at 13:32 +0100, Luc Verhaegen wrote: Radeonhd repo: http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot author SPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) committerSPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) commit 231683e2f111bb064125f64f2da797d744cde7fa (patch) ... PERHAPS BONGHITS WILL FIX MY MAKEFILE Signed-off-by: SPIGOT r...@jerkcity.com Very funny, but the person responsible forgot that maybe, this puts the whole trust in anything on fd.o at risk. That was me. Serious lapse in judgement on my part. I pretty much did it to get a rise out of Luc; looks like I succeeded. But it's indefensible, and I apologize. I'm kind of in a bad place emotionally and I should know better than to act that out in public. I've disabled my root accounts on the fd.o machines. I don't trust me with them anymore either. - ajax ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: fr...@fransdb.nl Thanks Adam, Because of my unfamiliarity with the people involved with xorg, can anybody verify the claim Adam made? If it was just a misplaced competition effort, I can continue to rely on the xorg code. Also, if it turns out to be a validated claim Adam made, accept it as is and continue. Hopefully Adam has learned his lesson. But also Freedesktop.org should have it's act together. Do check the access rights and allow only trusted persons root access. Hopefully Adam was NOT one of them they trusted explicitly and he has only access due to historical reasons. Frans. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 10:37 AM, Frans de Boer fr...@fransdb.nl wrote: On 11/24/2010 01:24 AM, Adam Jackson wrote: On Tue, 2010-11-23 at 13:32 +0100, Luc Verhaegen wrote: Radeonhd repo: http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot authorSPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) committer SPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) commit231683e2f111bb064125f64f2da797d744cde7fa (patch) ... PERHAPS BONGHITS WILL FIX MY MAKEFILE Signed-off-by: SPIGOT r...@jerkcity.com Very funny, but the person responsible forgot that maybe, this puts the whole trust in anything on fd.o at risk. That was me. Serious lapse in judgement on my part. I pretty much did it to get a rise out of Luc; looks like I succeeded. But it's indefensible, and I apologize. I'm kind of in a bad place emotionally and I should know better than to act that out in public. I've disabled my root accounts on the fd.o machines. I don't trust me with them anymore either. - ajax ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: fr...@fransdb.nl Thanks Adam, Because of my unfamiliarity with the people involved with xorg, can anybody verify the claim Adam made? If it was just a misplaced competition effort, I can continue to rely on the xorg code. Also, if it turns out to be a validated claim Adam made, accept it as is and continue. Hopefully Adam has learned his lesson. But also Freedesktop.org should have it's act together. Do check the access rights and allow only trusted persons root access. Hopefully Adam was NOT one of them they trusted explicitly and he has only access due to historical reasons. Yes, and not sure about the rest. Freedesktop isn't some sort of paid organisation here, you have a group of volunteers running some machines tied together with a lot of bailing twine. It only recently through the good graces of Collabora that fd.o got some paid administration time directed at it at all (Tollef). Like we could migrate all the stuff to machines that X.org control but we'd end up with the same problems + another set of problems. Adam still does a lot of a/c maintenance for X.org and other projects, these will now be have to be done by part-time admin which means even longer delays on new a/cs. There is a major fd.o overhaul in the works and maybe Tollef can provide some insight into it when he has time. Dave. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 12:37 AM, Frans de Boer fr...@fransdb.nl wrote: Thanks Adam, Because of my unfamiliarity with the people involved with xorg, can anybody verify the claim Adam made? I can't verify it. But I had a pretty strong suspicion. :) If it was just a misplaced competition effort, I can continue to rely on the xorg code. It was a prank. I'm sure he didn't foresee people getting this anxious over it. Also, if it turns out to be a validated claim Adam made, accept it as is and continue. Hopefully Adam has learned his lesson. But also Freedesktop.org should have it's act together. Do check the access rights and allow only trusted persons root access. Hopefully Adam was NOT one of them they trusted explicitly and he has only access due to historical reasons. Adam was trusted, and is still trusted I'd say. Because it was a joke. He made a funny commit in a branch of a dead project that no one has even committed build fixes to since May. No one, especially Adam, is going to insert backdoors in the xserver or whatever it is you're thinking. The guy has 28 commits to the xserver alone since 1.9 was released on August 20. Matt ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
Thanks Adam, Because of my unfamiliarity with the people involved with xorg, can anybody verify the claim Adam made? If it was just a misplaced competition effort, I can continue to rely on the xorg code. Also, if it turns out to be a validated claim Adam made, accept it as is and continue. Hopefully Adam has learned his lesson. But also Freedesktop.org should have it's act together. Do check the access rights and allow only trusted persons root access. Hopefully Adam was NOT one of them they trusted explicitly and he has only access due to historical reasons. Yes, and not sure about the rest. Freedesktop isn't some sort of paid organisation here, you have a group of volunteers running some machines tied together with a lot of bailing twine. It only recently through the good graces of Collabora that fd.o got some paid administration time directed at it at all (Tollef). Like we could migrate all the stuff to machines that X.org control but we'd end up with the same problems + another set of problems. Adam still does a lot of a/c maintenance for X.org and other projects, these will now be have to be done by part-time admin which means even longer delays on new a/cs. There is a major fd.o overhaul in the works and maybe Tollef can provide some insight into it when he has time. I forgot to cc Tollef of course, and gmail sucks at forward/bouncing. Dave. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 01:45:15AM +, Matt Turner wrote: On Wed, Nov 24, 2010 at 12:37 AM, Frans de Boer fr...@fransdb.nl wrote: Thanks Adam, Because of my unfamiliarity with the people involved with xorg, can anybody verify the claim Adam made? I can't verify it. But I had a pretty strong suspicion. :) If it was just a misplaced competition effort, I can continue to rely on the xorg code. It was a prank. I'm sure he didn't foresee people getting this anxious over it. Also, if it turns out to be a validated claim Adam made, accept it as is and continue. Hopefully Adam has learned his lesson. But also Freedesktop.org should have it's act together. Do check the access rights and allow only trusted persons root access. Hopefully Adam was NOT one of them they trusted explicitly and he has only access due to historical reasons. Adam was trusted, and is still trusted I'd say. Because it was a joke. He made a funny commit in a branch of a dead project that no one has even committed build fixes to since May. No one, especially Adam, is going to insert backdoors in the xserver or whatever it is you're thinking. The guy has 28 commits to the xserver alone since 1.9 was released on August 20. Matt This here is not a joke at all. Stop downplaying it. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, Nov 23, 2010 at 07:24:12PM -0500, Adam Jackson wrote: On Tue, 2010-11-23 at 13:32 +0100, Luc Verhaegen wrote: Radeonhd repo: http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot author SPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) committer SPIGOT r...@jerkcity.com 2010-11-02 04:21:14 (GMT) commit 231683e2f111bb064125f64f2da797d744cde7fa (patch) ... PERHAPS BONGHITS WILL FIX MY MAKEFILE Signed-off-by: SPIGOT r...@jerkcity.com Very funny, but the person responsible forgot that maybe, this puts the whole trust in anything on fd.o at risk. That was me. Serious lapse in judgement on my part. I pretty much did it to get a rise out of Luc; looks like I succeeded. But it's indefensible, and I apologize. I'm kind of in a bad place emotionally and I should know better than to act that out in public. I've disabled my root accounts on the fd.o machines. I don't trust me with them anymore either. - ajax I can't see why. You know tons of ways to trigger me, without compromising X.org or fd.o. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, Nov 23, 2010 at 03:40:49PM -0800, Alan Coopersmith wrote: Frans de Boer wrote: Just like to inquire whether the observed behavior was a real security breach - someone introducing (maybe over time) a backdoor or the like - or just sloppy behavior. In other words, can we still trust the xorg repositories or are they compromised in some way? People and companies depend on xorg functionality without backdoors or the like. At the first sign of xorg repositories being compromised, I have to pull the plug on systems relying on xorg functionality. Please make sure what really happened and then inform the community. this thread only give rise to fears without - so it seems - verified facts. Yes, the original poster's announcement to the list in general and directly to phoronix without notifying the developers or admins first seems to have been designed to do exactly that - raise fears without facts. Alan, You know that i've been with X.org for long enough to know what works and what gets muffled. The fact that you and others are continuously downplaying this proves that i took the right course of action. About mailing the board, well, the board is not exactly the fastest of organs, even though i feel that it has become better since the last elections and the crap throwing that happened before and after them. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Tue, Nov 23, 2010 at 03:36:58PM -0800, Alan Coopersmith wrote: Alan Cox wrote: It's on a separate branch, not master. (Doesn't mean it's right, just that it's not actually going to cripple anything or waste time for anyone who doesn't ask for it.) And how many other un-noticed commits did this person make ? Until you know that you have to assume a complete compromise. Understood, but you'll also understand that's something we have to ask the freedesktop.org admins to investigate. Like most X.Org developers, I can't even login to the server hosting git other than with the restricted shell used for git pushes. See, this was exactly the problem here. It _was_ a freedesktop admin. And it was pretty clear that it was that from the onset too. Mailing fd.o admins, even if i could've dug up an email address in the split second that i wrote the email (heck, i even mistyped repository), was not the right course of action. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 4:31 PM, Luc Verhaegen l...@skynet.be wrote: On Tue, Nov 23, 2010 at 03:36:58PM -0800, Alan Coopersmith wrote: Alan Cox wrote: It's on a separate branch, not master. (Doesn't mean it's right, just that it's not actually going to cripple anything or waste time for anyone who doesn't ask for it.) And how many other un-noticed commits did this person make ? Until you know that you have to assume a complete compromise. Understood, but you'll also understand that's something we have to ask the freedesktop.org admins to investigate. Like most X.Org developers, I can't even login to the server hosting git other than with the restricted shell used for git pushes. See, this was exactly the problem here. It _was_ a freedesktop admin. And it was pretty clear that it was that from the onset too. Mailing fd.o admins, even if i could've dug up an email address in the split second that i wrote the email (heck, i even mistyped repository), was not the right course of action. So you mailed 2 mailing lists consisting of 2-300 people who could do nothing about it? nice work. Dave. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
Re: Respository vandalism by r...@...fd.o
On Wed, Nov 24, 2010 at 04:36:17PM +1000, Dave Airlie wrote: On Wed, Nov 24, 2010 at 4:31 PM, Luc Verhaegen l...@skynet.be wrote: See, this was exactly the problem here. It _was_ a freedesktop admin. And it was pretty clear that it was that from the onset too. Mailing fd.o admins, even if i could've dug up an email address in the split second that i wrote the email (heck, i even mistyped repository), was not the right course of action. So you mailed 2 mailing lists consisting of 2-300 people who could do nothing about it? nice work. Dave. Heh. I already wasted quite some time on the actions of one of your colleagues, i guess i can waste some more time on yours. Stop the counter-attack dave, it's far too obvious what you are doing here. The means to the end were perfectly justifiable under the circumstances, and this includes the years of experience i have with dealing with X.org community. This especially includes the experience of something as noble as the radeonhd driver project. Anything else than a similar course action would've meant that the issue would've been silenced to death. Luc Verhaegen. ___ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com
