Respository vandalism by root at ...fd.o

Dave Airlie airlied at gmail.com
Wed Nov 24 00:40:54 PST 2010 

>
> As far as I can see, all you've managed to do is to create a lot of
> noise about what is, in itself, a fairly minor incident.  Yes, it is
> serious that a "trusted admin" abuses his powers.  However, that happens
> and will continue to happen.  Humans are like that.  We often show a
> remarkable lack of good judgement.  And in this case, I think the
> pattern matches well with "bad judgement" rather than "evil intent".
>
> What I'm far more worried about are the admins (and non-admins) who have
> made changes with "evil intent" that we have not noticed.  I am not
> particularly worried about this incident, as anyone with true "evil
> intent" would not have advertised their actions like this.  However,
> that doesn't mean that no-one have acted with "evil intent", and been
> successful at it.
>
> There are two things that I feel are important about this:
>
> 1. What systems do we have in place that enables us to detect when a
>   "trusted admin" acts in "bad judgement" or with "evil intent"?  What
>   is the probability that such actions will be noticed?  Can we do
>   anything to increase this probability?

wrt to the git repos, git is designed to be good at detecting
tampering, esp history tampering, i.e. git won't allow a push to a
repo that hasn't got matching history. Someone adding a branch or
pushing a branch with a file, should be noticed by active project
participants.

We also sign all the release emails with md5/sha1 sums for the
tarballs for later verification, which was instituted after the last
real security incident.

> 2. What systems do we have in place that enables us to detect "evil
>   commits" once they actually make their way into the repository?  What
>   is the probability that they will be noticed?  Can we do anything to
>   increase this probability?

Again git + humans using the repos should catch most things.

> 3. When incidents are detected (break-ins, abuse of admin rights, evil
>   commits, what have you...), what processes are in place to deal with
>   this?  What information is published, and in which fora, and when?
>   What investigations are performed, and what actions are carried out
>   as a result of such investigations?  Where are these processes
>   documented?

We could probably better define this sort of things, again fd.o has
been a pretty haphazard setup based on volunteer time and effort, but
again hopefully we can get some escalation procedures in place that
are less public.

Dave.

More information about the xorg-devel mailing list