Respository vandalism by root at ...fd.o
airlied at gmail.com
Wed Nov 24 00:40:54 PST 2010
> As far as I can see, all you've managed to do is to create a lot of
> noise about what is, in itself, a fairly minor incident. Yes, it is
> serious that a "trusted admin" abuses his powers. However, that happens
> and will continue to happen. Humans are like that. We often show a
> remarkable lack of good judgement. And in this case, I think the
> pattern matches well with "bad judgement" rather than "evil intent".
> What I'm far more worried about are the admins (and non-admins) who have
> made changes with "evil intent" that we have not noticed. I am not
> particularly worried about this incident, as anyone with true "evil
> intent" would not have advertised their actions like this. However,
> that doesn't mean that no-one have acted with "evil intent", and been
> successful at it.
> There are two things that I feel are important about this:
> 1. What systems do we have in place that enables us to detect when a
> "trusted admin" acts in "bad judgement" or with "evil intent"? What
> is the probability that such actions will be noticed? Can we do
> anything to increase this probability?
wrt to the git repos, git is designed to be good at detecting
tampering, esp history tampering, i.e. git won't allow a push to a
repo that hasn't got matching history. Someone adding a branch or
pushing a branch with a file, should be noticed by active project
We also sign all the release emails with md5/sha1 sums for the
tarballs for later verification, which was instituted after the last
real security incident.
> 2. What systems do we have in place that enables us to detect "evil
> commits" once they actually make their way into the repository? What
> is the probability that they will be noticed? Can we do anything to
> increase this probability?
Again git + humans using the repos should catch most things.
> 3. When incidents are detected (break-ins, abuse of admin rights, evil
> commits, what have you...), what processes are in place to deal with
> this? What information is published, and in which fora, and when?
> What investigations are performed, and what actions are carried out
> as a result of such investigations? Where are these processes
We could probably better define this sort of things, again fd.o has
been a pretty haphazard setup based on volunteer time and effort, but
again hopefully we can get some escalation procedures in place that
are less public.
More information about the xorg