Who actually does have root? [was Re: Respository ...]

Luc Verhaegen libv at skynet.be
Sun Nov 28 13:02:34 PST 2010

On Sun, Nov 28, 2010 at 10:01:20PM +0100, Luc Verhaegen wrote:
> On Wed, Nov 24, 2010 at 06:40:54PM +1000, Dave Airlie wrote:
> >
> > We could probably better define this sort of things, again fd.o has
> > been a pretty haphazard setup based on volunteer time and effort, but
> > again hopefully we can get some escalation procedures in place that
> > are less public.
> > 
> > Dave.
> In fact, more visibility is what is needed, not less!
> Just like with the fundamental change that happened with the X.org 
> board earlier this year: we need to know who is doing what, before we 
> can trust it.
> In my very first email i asked who all had root access to the fd.o 
> machines. I haven't got an answer to that yet.
> From irc, the day after this broke out, i saw that ajax and daniels 
> suspended their own fd.o root accounts, but keep their x.org accounts?
> Why only fd.o and not X.org? Why only suspension and not taking away 
> this access?
> Is this really how people want to run a free software project? Where 
> only political affiliation means that your code is safe?
> And WTF, searching through my irc log, i dug up this:
> --- Day changed Fri Nov 19 2010
> ...
> 04:13 < alanc> someone leave a git repo writable by too many people?  
> http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot
> 04:14 < cjb> looks like a perfectly normal ajax commit to me
> 04:14 < alanc> except he usually signs his as ajax, not 
> root at jerkcity.com
> 04:15 < cjb> was kidding :)
> 04:15 < alanc> not that I'm disagreeing with the new autogen.sh there, 
> given it was the only commit in the last 6 months, but it would be more 
> useful on master
> 04:17 < mjg59> I'm not sure that that branch has always been there
> WTF? Alan, why did you not act on this? Why didn't you mail 
> admins at fd.o?  Why are you spending your time bashing me for blowing this 
> open, and not talking to the admins, while all you did was 1) put this 
> on irc 2) shrug and walk away.
> Do you find this acceptable behaviour for the secretary of the X.org 
> board?
> Since i am pasting irclog, attached is more irc log, showing several 
> people at their best (including me).
> Luc Verhaegen.

Now with an actual log attached.

Luc Verhaegen
--- Day changed Tue Nov 23 2010
<before the email>
13:02 < libv> ok, which wanker pulled this: http://cgit.freedesktop.org/xorg/driver/xf86-video-radeonhd/commit/?h=spigot
13:03 < arekm> lol
13:04 < scarabeus> i likes
13:04 < libv> well, either there's some idiot with rather severe fd.o access
13:04 < libv> or there is a security issue
13:07 < libv> i would rather expect that those people capable of doing this, would be above this
<And now after:>
16:04 < mattst88> oh man, people out to get libv again
16:06 < libv> mattst88: heh.
16:06 < libv> mattst88: would you really trust your code to fd.o when you know that those with root access pull such stunts?
16:07 < mattst88> I suppose that it's more of a prank than anything serious.
16:07 < libv> mattst88: this is definitely not a prank
16:07 < mjg59> Somebody used an inappropriate process to mark an unmaintained project as deprecated
16:07 < mjg59> Which is worthy of criticism, but
16:07 < libv> mjg59: and the difference is... marketing... right?
16:07 < mjg59> I'm not trying to justify the way it was done
16:08 < mattst88> of course it is a prank, they made a silly branch in the repository. They didn't delete code. (Unless I'm missing something)
16:08 < ajax> it's not like git has securty anyway
16:08 < ajax> forging COMMITTER_EMAIL is trivial
16:08 < libv> mattst88: how would you have root do this to your repos?
16:08 < libv> like to even
16:08 < tmzt_dg2root> but you need ssh though don't you?
16:08 < tmzt_dg2root> so it has to be somebody 'trusted'
16:09 < mattst88> libv, I wouldn't, no doubt. I'm not justifying it.
16:09 < mjg59> libv: If a project is unmaintained then leaving it buildable rather than marking it as deprecated is irresponsible
16:09 < libv> mjg59: radeonhd hasn't been part of the release for two or more years now
16:09 < libv> mjg59: remember the big flame war with amongst others, you, me and daniels
16:10 < tmzt_dg2root> it's still the only non atom ati code? or is that avivo
16:10 < mjg59> libv: Yet it's still in the repo and people keep building it and getting confused
16:10 < libv> heh, avivo is still listed as part of ohloh
16:10 < libv> mjg59: mshopf make some updates to it in may
16:10 < mjg59> libv: So it's unmaintained
16:10 < libv> mjg59: but this does not take away from the core fact
16:11 < libv> mjg59: so stop diverting from that.
16:11 < mjg59> I refer you to my previous statement
16:11 < mjg59> I don't think there's any reasonable justification for the way it was done
16:11  * mattst88 looks at what he's started, and is sad
16:12 < tmzt_dg2root> so, serious question, is there a way to set CC to build.sh so I don't have to patch it?
16:12 < libv> this is not some banal prank, this is a serious breach of trust in the whole of fd.o
16:13 < mattst88> I wonder how long it'll be until phoronix has an article up.
16:13 < ajax> they do.
16:13 < ajax> drama -> pageviews -> dolla
16:13 < mattst88> you're fucking kidding me
16:14  * mattst88 facepalms
16:14 < libv> mattst88: i poked michael the second i sent an email
16:14 < libv> mattst88: like so many, you fail to see how useful michael really is.
16:14 < jcristau> libv should clearly get paid by phoronix for the drama
16:14 < tmzt_dg2root> yeah there's some good articles
16:15 < mattst88> libv, for spreading news to people who don't really understand it?
16:15 < krh> jcristau: maybe he does
16:15 < tmzt_dg2root> the first article on wayland was two years ago
16:15 < libv> jcristau: no, the guy who has more forum posts, you know, the same guy who is supposed to get free software developers documentation about graphics hardware, he should be paid by phoronix
16:15 < libv> more forum posts than the owner
16:17 < mattst88> at least half the time, he's the only reason that site should exist
16:17 < libv> and besides, how many people here know that michael filed a solid proposal for the next XDS/XDC during toulouse still?
16:17 < libv> mattst88: that's your view.
16:17 < mattst88> hah, of course it is.
16:17 < tmzt_dg2root> and listenable video?
16:18 < libv> tmzt_dg2root: feel free to drag a camera along to X events and tape them yourself instead
16:19 < tmzt_dg2root> hah, I just strain and process with -af volume=10:1
16:19 < tmzt_dg2root> and mostly it works
16:19 < tmzt_dg2root> it's awesome that he does it in the first place
<unrelated discussion, which included further participation from ajax>
--- Day changed Wed Nov 24 2010
00:24 < MostAwesomeDude> Man, that rhd thread.
00:24 < MostAwesomeDude> Do we need a PSA about the dangers of drunk committing
00:39 <@alanc> can daniels or anholt or ajax or anyone with root on git.fd.o please invesitgate the damn commit and show it wasn't someone cracking root so we can shut that whole thread up?
01:14 < krh> alanc: nice dose of common sense in that thread
03:02 < tmzt_dg2root> libv: just use a minimal/restricted shell for git access, and limit root to people that reeally need it for maintainance
03:04 < gisburn> libv: that only works if people can't break out of the restricted shell jail. bash in restricted mode is notoriously unsecure
03:04 < gisburn> (but I have no clue how secure "dash" in restricted mode is and for ksh93 you need at least ksh93 version 't+' to be on the safe side)
03:06 < tmzt_dg2root> I wonder how the big git hosters do it
03:06 < tmzt_dg2root> resolving keys and not using user acounts at all I think
03:06 < gisburn> tmzt_dg2root: usually chroot.
03:08 < gisburn> tmzt_dg2root: "typical" solution us to use something like "Jails", "zones" (e.g. Solaris) or even a virtual machine and access data filesystems via r/w via NFS, possibly even kerberised and let '/' an$
03:12 < mue_> it was no hack though
03:12 < tmzt_dg2root> https://github.com/epeli/subssh
03:16 < tmzt_dg2root> okay, so that script just matches the username in the key, it's not based on a hash or anything else
04:23 < daniels> raster, antrik: fwiw, the n900 was sold through a few telcos, including vodafone in europe, optus in australia, etc.
04:28 < daniels> alanc: and it wasn't a hack at all, i logged in with danielsR.  i've asked tollef to disable danielsR across fd.o.  (i'd reply to the list, but don't have email access while i'm in .au this week.)
04:28 < daniels> libv: my apologies as well; i can't really defend it at all as it was a pretty gross misuse of fd.o
04:29 <@alanc> daniels: I think you and ajax need to get your stories straight
04:30 < ohsix> jerkcity ftw
04:30 < ajax> both are accurate
04:30 < ajax> we were in the same room
04:30 < ajax> i did the commit
04:30 < ohsix> GLAHGLHGHG
04:30 < ajax> his login though
04:30 <@alanc> I also think both of you giving up admin rights is a reward for you, not a punishment 8-/
04:30 < ajax> in a sense, yes
04:30 <@alanc> punishment for everyone else
04:31 < ajax> but like i said, i'm not exactly feeling awesome about it or much of anything else
04:31 < ajax> so, you know.  happy thanksgiving.
04:31 < daniels> heh, to some extent, but tollef is pretty on the ball these days
04:32 < daniels> i still have access to fruit & ldap, so i'm happy to do x.org account creation, or we could get you ldap access if you were feeling masochistic ;)
04:32 < ohsix> rands should run everything
04:33 < ajax> see, this is what i'm saying.
04:35 <@alanc> as far as X.Org is concerned, not having to shut down git access for a week or two to audit everything is a win - beyond that, it's up to fd.o management (which I assume is still just keithp) what to do about who has admin access
04:37 <@alanc> it does make me wonder if there's any way to enforce having reasonable signed-off-by in all commits, though anything we can mandate, root can subvert by disabling the hooks
04:37 < daniels> yeah, exactly
04:37 <@alanc> so that would just stop xgi & ast from committing
04:37 < daniels> heh
04:37 < ohsix> at least it was root@ :D could have been made to look like anything
04:38 < daniels> not that that'd be a huge loss tbh, but still
04:38 < airlied> the thing is git does the right thing
04:38 < airlied> you can't actually modify a git commit without someone noticing
04:38 < daniels> right
04:38 < airlied> addition to a repo don't matter a crap
04:39 <@alanc> yeah, enough of us have checked out repos we'd notice if we got errors about head not matching
04:39 < airlied> like really ajax should have done that commit without root and pushed it
04:39 < airlied> I for one would support that
04:39 < airlied> maybe "It's dead jim" -> "This project is deprecated"
04:39 < daniels> airlied: radeonhd isn't really an xorg project though, they do their own thing
04:39 < airlied> its not really any project anymore
04:39 < daniels> at the moment they're not part of xorg in anything but git repo name, so you have to go looking for it
04:40 <@alanc> doing it right would be putting a "needs maintainer" message in like the input drivers, and putting it in master, not a new branch
04:41 < whot> or merge it into the xserver tree :P
04:42 <@alanc> and I suppose one advantage of the single pusher model to xserver is that keith really notices when someone pushes something they shouldn't have to xserver itself
04:44 < whot> alanc: you get that in any well-maintained repo though
04:44 <@alanc> I certainly notice when there's a push by anyone other than me or Gaetan to apps/libs/proto modules
04:46 < whot> yeah, same with evdev/synaptics
04:46 <@alanc> and I know I've heard from vmware's maintainer when I pushed to that module without getting his review first
04:48 < daniels> i think this is the best argument i've yet seen for the gatekeeper model:
04:48 < daniels> daniels at annarchy:~%GIT_DIR=/srv/anongit.freedesktop.org/git/xorg/xserver.git git log --grep=Revert --pretty=oneline xorg-server-1.6.0..xorg-server-1.8.0 | wc -l
04:48 < daniels> 40
04:48 < daniels> daniels at annarchy:~% GIT_DIR=/srv/anongit.freedesktop.org/git/xorg/xserver.git git log --grep=Revert --pretty=oneline xorg-server-1.8.0..master | wc -l11
04:50 < whot> i'd say the number of reviewed-by tags is more telling. xserver development has slowed down in general since 1.6, at least when it comes to feature churn
05:59 < raster> daniels: i know. and i heard ity had like an 80% return rate or something for vodafone in the uk
05:59 < raster> wasnt desirned/geared to be sold thru a telco tho
06:10 < daniels> raster: i'm pretty sure you got your figures mixed up there
06:10 < ohsix> very mixed up
07:33 <@alanc> good lord, he's going to reply to every single damn email in the thread, isn't he?
08:14 < raster> daniels: thats what i heard - it was some horrendous return-rate
08:14 < raster> not because they were faulty
08:14 < raster> peolpe just didnt like it
08:14 < raster> like general-joe customers
09:22 < libv> alanc: heh.
10:01 < daniels> raster: i've heard that story, but it's definitely not about the n900
10:32 < remi|work> whot, maybe commit numbers have gone down, but traffic on -devel with [PATCH] has definitely gone way up
10:32 < remi|work> no hard numbers, but I'm having a hard time reading all of -dev these days
10:32 < remi|work> it used to be a lot easier a couple months/years ago
10:33 < remi|work> not that I'm complaining, it probably means we're reviewing patches a *lot* more than we used to
17:14 < jcristau> mattst88: can we close that thread yet?
17:15 < mattst88> yes, I don't think it's worth responding to
17:15 < jcristau> i mean, if you're interested in more libv ranting, you can do that out of xorg@
17:15 < jcristau> :)
17:15 < libv> hah.
17:15 < dottedmag> whoops. Hopefully not here.
17:16 < libv> next time it'll happen to you, and i'll stand there and downplay too.
17:16 < mattst88> libv, feel free to push garbage branches to -glint.
17:17 < libv> mattst88: from root with faked commiter id?
17:18 < mattst88> yeah, I don't particularly care as long as you don't actually interfere with anything.
17:18 < libv> ... anything you were or are involved with, right?
17:18 < KiBi> bleh, 20+ more mails since last time I looked at it.
17:19 < mattst88> libv, I'm saying that whatever ulterior motives you're suggesting people have for picking at you, you have ulterior motives for being as loud as possible about this.
17:20 < libv> mattst88: oh, those motives are quite clear to anyone
17:20 < mattst88> no, the other ones.
17:20 < libv> mattst88: they are the same ones that made me put my foot up the board elections in february
17:20 < libv> mattst88: oh, which are?
17:21 < mattst88> you knew who did it when you saw it.  you
17:21 < mattst88> you're trying to twist the knife.
17:21 < libv> mattst88: i didn't know, i had my suspicions though
17:22 < libv> mattst88: the fact that i had some suspicion, doesn't make the event right, now does it?
17:22 < mattst88> no, i'm not claiming it was acceptable
17:23 < libv> but you are still downplaying.
17:24 < mattst88> an alternative perspective would be that you're overblowing it, but I don't think we'll ever agree.
17:25 < libv> true
17:50 < ohsix> wheres this thread, i can only find one mail
17:51 < vignatti> ohsix: http://lists.x.org/archives/xorg-devel/2010-November/015824.html
17:52 < ohsix> vignatti: ah ya that's the one, no replies on gmane to it though; thanks
17:52 < vignatti> ohsix: but this one following, is the only that matters actually:
17:52 < vignatti> http://lists.x.org/archives/xorg-devel/2010-November/015901.html
17:53 < vignatti> rest is just libv bitching around
17:54 < ohsix> right, thanks
20:04 < ohsix> hurr libv you insinuated they were on drugs :D
20:04 < ohsix> http://www.jerkcity.com/
--- Day changed Thu Nov 25 2010
08:37  * alanc barely resists the temptation to include "Just remember boys and girls, git's all fun until somebody loses an eye or has to go to the emergency eye wash spigot." in the xeyes release announcement
08:47 < airlied> alanc: looses a root? :-)
22:16 < whot> alanc: hehe, nice xeyes announcement. you should have written "removal of various xeyesores" though :)
22:17 < whot> just to see if anyone notices

