> > As far as I can see, all you've managed to do is to create a lot of > noise about what is, in itself, a fairly minor incident. Yes, it is > serious that a "trusted admin" abuses his powers. However, that happens > and will continue to happen. Humans are like that. We often show a > remarkable lack of good judgement. And in this case, I think the > pattern matches well with "bad judgement" rather than "evil intent". > > What I'm far more worried about are the admins (and non-admins) who have > made changes with "evil intent" that we have not noticed. I am not > particularly worried about this incident, as anyone with true "evil > intent" would not have advertised their actions like this. However, > that doesn't mean that no-one have acted with "evil intent", and been > successful at it. > > There are two things that I feel are important about this: > > 1. What systems do we have in place that enables us to detect when a > "trusted admin" acts in "bad judgement" or with "evil intent"? What > is the probability that such actions will be noticed? Can we do > anything to increase this probability?
wrt to the git repos, git is designed to be good at detecting tampering, esp history tampering, i.e. git won't allow a push to a repo that hasn't got matching history. Someone adding a branch or pushing a branch with a file, should be noticed by active project participants. We also sign all the release emails with md5/sha1 sums for the tarballs for later verification, which was instituted after the last real security incident. > 2. What systems do we have in place that enables us to detect "evil > commits" once they actually make their way into the repository? What > is the probability that they will be noticed? Can we do anything to > increase this probability? Again git + humans using the repos should catch most things. > 3. When incidents are detected (break-ins, abuse of admin rights, evil > commits, what have you...), what processes are in place to deal with > this? What information is published, and in which fora, and when? > What investigations are performed, and what actions are carried out > as a result of such investigations? Where are these processes > documented? We could probably better define this sort of things, again fd.o has been a pretty haphazard setup based on volunteer time and effort, but again hopefully we can get some escalation procedures in place that are less public. Dave. _______________________________________________ xorg@lists.freedesktop.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.freedesktop.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com