Respository vandalism by root at ...fd.o

Alan Coopersmith alan.coopersmith at
Wed Nov 24 13:17:41 PST 2010

So, wearing my X11R7.6 Release Manager hat, I am willing to accept
that the git repositories are not known to be compromised by an
outside actor, and that we can go forward with development & releases
as normal.

I had been quietly holding off on doing any more releases until the
issue was investigated, but am now satisfied that we know with reasonable
certainty how the "spigot" branch & "jerkcity" commit came to be in
the radeonhd git repo.   While Adam & Daniel's judgment in making those
was obviously unsound, I still feel I can rely on their integrity, so if
they say this was an isolated incident and that no other repos were
illicitly modified, I believe them.   (But then, I also have faith in
git's sha1 hashes of commits to reinforce this and help us spot any
unauthorized commits others may attempt to make, as discussed elsewhere
in this thread.)

Of course, when making releases I do look over the commits included,
in order to judge what sort of version number increase is warranted
by the changes included (i.e. version += 0.0.1 for configure script
updates & janitorial cleanups, version += 0.1 for new features) and
to be able to summarize the changes in the release announcements,
so would hopefully spot any out-of-place commits and hope that other
developers & maintainers are doing the same.

(Before I get any more e-mail or IRC chatter berating me for downplaying
 the seriousness of this issue, I am only addressing in this message my
 personal opinion of whether we can go forward with using the git repos
 on as normal, not discussing the original action or its
 repercussions outside the ability of the rest of us to get back to work.)

	-Alan Coopersmith-        alan.coopersmith at
	 Oracle Solaris Platform Engineering: X Window System

More information about the xorg mailing list