Respository vandalism by root at ...fd.o

Dave Airlie airlied at gmail.com
Wed Nov 24 00:40:54 PST 2010


>
> As far as I can see, all you've managed to do is to create a lot of
> noise about what is, in itself, a fairly minor incident.  Yes, it is
> serious that a "trusted admin" abuses his powers.  However, that happens
> and will continue to happen.  Humans are like that.  We often show a
> remarkable lack of good judgement.  And in this case, I think the
> pattern matches well with "bad judgement" rather than "evil intent".
>
> What I'm far more worried about are the admins (and non-admins) who have
> made changes with "evil intent" that we have not noticed.  I am not
> particularly worried about this incident, as anyone with true "evil
> intent" would not have advertised their actions like this.  However,
> that doesn't mean that no-one have acted with "evil intent", and been
> successful at it.
>
> There are two things that I feel are important about this:
>
> 1. What systems do we have in place that enables us to detect when a
>   "trusted admin" acts in "bad judgement" or with "evil intent"?  What
>   is the probability that such actions will be noticed?  Can we do
>   anything to increase this probability?

wrt to the git repos, git is designed to be good at detecting
tampering, esp history tampering, i.e. git won't allow a push to a
repo that hasn't got matching history. Someone adding a branch or
pushing a branch with a file, should be noticed by active project
participants.

We also sign all the release emails with md5/sha1 sums for the
tarballs for later verification, which was instituted after the last
real security incident.

> 2. What systems do we have in place that enables us to detect "evil
>   commits" once they actually make their way into the repository?  What
>   is the probability that they will be noticed?  Can we do anything to
>   increase this probability?

Again git + humans using the repos should catch most things.

> 3. When incidents are detected (break-ins, abuse of admin rights, evil
>   commits, what have you...), what processes are in place to deal with
>   this?  What information is published, and in which fora, and when?
>   What investigations are performed, and what actions are carried out
>   as a result of such investigations?  Where are these processes
>   documented?

We could probably better define this sort of things, again fd.o has
been a pretty haphazard setup based on volunteer time and effort, but
again hopefully we can get some escalation procedures in place that
are less public.

Dave.



More information about the xorg mailing list