How did it go from "He even performed a backup/mirror of several dozen of our repositories." to "He deleted part of our repository from GitHub. (..) [He published] an empty package in the cooker repository, which obsoleted all gnome and cosmic packages."?
I feel like there's a few steps missing there. How does it go from "a new person joins the community" to "he's able to nuke everything"? Sure, he might be reasonably well-known, but in the post it doesn't sound like he was a core maintainer, or even a very active community member. Do they just randomly hand out admin access to anyone?
It's hard to maintain open source software that needs infrastructure. Everyone is a volunteer and it's not like the Mandriva project has the resources to fully vet people as well as have a high quality RBAC and access control system. This guy sounds like maintained a large project, offered to help, and Mandriva saw the Trojan horse as a way to alleviate a lot of their problems.
And it didn't sound like he was able to "nuke everything" - it sounds like he had access to their repository infrastructure (which is reasonable given he was volunteering to host it) and then lashed out.
If anything, I think it's a bigger organizational red flag that they agreed to privately host their source code on some random git forge and not a larger, more communal one. I mean, even if they didn't want to use GitHub (did this even cost money for them) then there are other providers to choose from.
It just sounds like the Mandriva maintainers are trusting and good folk who may be overworked running an open source project and that led to a bad apple entering the bunch. It's hard for me to be mad in that kind of situation.
I don't think that categorization is warranted - at least the linked announcement doesn't give any indication that the guy joined with the intent to cause trouble and its only after his friend got in trouble that he misused the access he had. No amount of vetting can prevent something like that entirely and only disconnected backups (thanks, git) will help you in the end.
> If anything, I think it's a bigger organizational red flag that they agreed to privately host their source code on some random git forge and not a larger, more communal one.
Did they agree to it? The linked post only says that it was offered and being discussed.
> even if they didn't want to use GitHub (did this even cost money for them)
Money is hardly the only reason why an open source project could have a problem with using GitHub.
That's the thing: according to the post he offered it, but the offer wasn't accepted. They stayed on Github, and it was the Github repos which were compromised. They did entertain his desire to let him host a read-only mirror - but that's hardly critical, and having complete strangers mirroring Linux ISOs or package repos has been a thing for ages.
The post makes zero mention of him ever joining or being part of the core infra ops team. So where did the admin access come from?
I don't know if this is the case here, but I have witnessed several instances in the open source community where someone offer to help with a boring/fastidious task and some temporary admin privileges are granted to them in order to make it easier.
But then, temporary become permanent because either the task never complete or because people just forgot. It's always when the problems start to appear that the temporary privileges are finally revoked.
In my case the problems were mostly due to incompetence, but sometimes a malicious action happens...
> It just sounds like the Mandriva maintainers are trusting and good folk who may be overworked running an open source project and that led to a bad apple entering the bunch. It's hard for me to be mad in that kind of situation.
It's hard to be mad, but people in FLOSS need to start taking this sort of cautionary tale to heart, particularly when it comes to Linux distros.
If you don't have a good way to sustain maintenance and development of a software project in the current era - one with LLM spam, social engineering, and apparently, jackass contributors - you need to start looking into ways to wrap the project up and focus your energies on more established projects that might need help.
I know that sounds mean, but this isn't just a hobby project anymore. This is an operating system. People put their entire lives on their computers. It's not a failure, you can do everything right and end up in a situation like we see here.
> How did it go from "He even performed a backup/mirror of several dozen of our repositories." to "He deleted part of our repository from GitHub
What's unclear? This guy was part of the project for some time and got maintainer trust. Then he brings in his mate. His mate is a crap person and gets kicked out of the project. The original guy then goes bananas and nukes stuff.
I have been part of the HN community for a while as well. I don't have admin access to its servers. That's the unclear part. How does it go from "offering to host it, which is refused" and "read-only mirror" to... this?
There aren’t, they just don’t write it because it’s shameful for them. They trusted a man who brought two more people in, and they thought they were sheriffs.
I feel for the maintaners. There is a push and pull here on OSS.
However, I have made the choice to remove all my repos from the internet and self host in the face of LLM spam.
Because Im not dependent on PRs from randos this doesnt really matter to me.
I think at some point OSS repos are going to have to come to grips with the reality of hosting on github or any public git host.
And go underground. Or decide whether the juice is any longer worth the squeeze. In my mind its not unless its off the internet. You may skate today, tomorrow you are completely screwed.
I had no idea mandriva/openmandriva still existed. I still have a mandrake cd somewhere, mostly because I cannot seem to be able to depart from physical media :)
Every time someone actively approaches you with an offer to spend their real energy and lifetime on your thing, It's almost always about leverage in some way.
At least if there is actual work attached to it.
Money alone might be paid by people that just have too much of it or want to feel better about something.
But if they actively involve themselves to a degree that goes way beyond scratching their own itch, something's up.
You might get lucky and find a just genuinely good person, but you might also not.
AUR has always been a risk and that wasn't the first attack of that kind. And here... Well, if it was coordinated, they would've picked a distro that doesn't prompt responses like: "Oh, mandriva still exists?"
i mean, they're succeeding. whether it's coordinated or not the conclusion is the same.
but i think "linux distributions are dangerous" is the wrong conclusion. the right one is to treat each distribution based on their own security practices, and not "linux" as a whole. one distro's bad practices doesn't make others unsafe any more than one distribution's good practices make other safe.
The real takeaway for projects and companies should be that someone having historically behaved in a logical and responsible way doesn’t guarantee that they’ll continue to do that for forever.
Good security architecture has circuit breakers, even for people who are generally high-trust.
I wouldn't say that there's an organized attempt to "paint Linux distros as dangerous". It's just what happens when you have people being people (as we see here) and there are structural vulnerabilities to software supply chains.
It's a juicy target, and it's being exploited. We can either learn from it or continue to suffer.
This isn't even new. Hell, I remember when Linux Mint was hacked a decade or more ago. They compromised the forums, the disk image downloads, the whole shebang. I haven't used it since.
stop trying to make AUR sound like a place that can be compromised.
it's literary a tetanus ridden landfill, by design!
it's nothing more than a place to share one-file (one file!) recipe on how to conveniently build a repo from outside the arch tree. yes, is usually how software end up in arch (after much more work)
the fact that idiots (in the original sense of the word in Greek) made automatic installers that fools novices to think those are vetted distro packages doesn't make it so.
The arch team seems to think differently based on how they reacted to the compromise. Something doesn't have to be locked down from the start in order to be compromised.
For the record there are at least 2 distros that carry the Mandriva/Mandrake legacy. Besides OpenMandriva there is also Mageia which I believe is the more popular option.
Me too. It was my first Linux back in 2003 and I was immediately hooked. Back then codecs weren't as much of an issue as they were in the late 2000s to early 2010s so everything worked out of the box and the performance on Pentium 4 with 128 MB RAM was phenomenal compared to Windows XP.
I feel like there's a few steps missing there. How does it go from "a new person joins the community" to "he's able to nuke everything"? Sure, he might be reasonably well-known, but in the post it doesn't sound like he was a core maintainer, or even a very active community member. Do they just randomly hand out admin access to anyone?
And it didn't sound like he was able to "nuke everything" - it sounds like he had access to their repository infrastructure (which is reasonable given he was volunteering to host it) and then lashed out.
If anything, I think it's a bigger organizational red flag that they agreed to privately host their source code on some random git forge and not a larger, more communal one. I mean, even if they didn't want to use GitHub (did this even cost money for them) then there are other providers to choose from.
It just sounds like the Mandriva maintainers are trusting and good folk who may be overworked running an open source project and that led to a bad apple entering the bunch. It's hard for me to be mad in that kind of situation.
I don't think that categorization is warranted - at least the linked announcement doesn't give any indication that the guy joined with the intent to cause trouble and its only after his friend got in trouble that he misused the access he had. No amount of vetting can prevent something like that entirely and only disconnected backups (thanks, git) will help you in the end.
> If anything, I think it's a bigger organizational red flag that they agreed to privately host their source code on some random git forge and not a larger, more communal one.
Did they agree to it? The linked post only says that it was offered and being discussed.
> even if they didn't want to use GitHub (did this even cost money for them)
Money is hardly the only reason why an open source project could have a problem with using GitHub.
The post makes zero mention of him ever joining or being part of the core infra ops team. So where did the admin access come from?
But then, temporary become permanent because either the task never complete or because people just forgot. It's always when the problems start to appear that the temporary privileges are finally revoked.
In my case the problems were mostly due to incompetence, but sometimes a malicious action happens...
It's hard to be mad, but people in FLOSS need to start taking this sort of cautionary tale to heart, particularly when it comes to Linux distros.
If you don't have a good way to sustain maintenance and development of a software project in the current era - one with LLM spam, social engineering, and apparently, jackass contributors - you need to start looking into ways to wrap the project up and focus your energies on more established projects that might need help.
I know that sounds mean, but this isn't just a hobby project anymore. This is an operating system. People put their entire lives on their computers. It's not a failure, you can do everything right and end up in a situation like we see here.
What's unclear? This guy was part of the project for some time and got maintainer trust. Then he brings in his mate. His mate is a crap person and gets kicked out of the project. The original guy then goes bananas and nukes stuff.
However, I have made the choice to remove all my repos from the internet and self host in the face of LLM spam.
Because Im not dependent on PRs from randos this doesnt really matter to me. I think at some point OSS repos are going to have to come to grips with the reality of hosting on github or any public git host.
And go underground. Or decide whether the juice is any longer worth the squeeze. In my mind its not unless its off the internet. You may skate today, tomorrow you are completely screwed.
Fwiw, I don't think it's an "AI" problem, is a knowledge and respect problem from the people that have their agents dump code on FOSS projects.
unfortunately i did not add a note at the time
Bravo, Davide, for erasing your trust score to zero. And for what? Was it worth it?
Every time someone actively approaches you with an offer to spend their real energy and lifetime on your thing, It's almost always about leverage in some way.
At least if there is actual work attached to it.
Money alone might be paid by people that just have too much of it or want to feel better about something.
But if they actively involve themselves to a degree that goes way beyond scratching their own itch, something's up.
You might get lucky and find a just genuinely good person, but you might also not.
Nah. Microsoft has better means to sell Windows.
but i think "linux distributions are dangerous" is the wrong conclusion. the right one is to treat each distribution based on their own security practices, and not "linux" as a whole. one distro's bad practices doesn't make others unsafe any more than one distribution's good practices make other safe.
Good security architecture has circuit breakers, even for people who are generally high-trust.
It's a juicy target, and it's being exploited. We can either learn from it or continue to suffer.
This isn't even new. Hell, I remember when Linux Mint was hacked a decade or more ago. They compromised the forums, the disk image downloads, the whole shebang. I haven't used it since.
it's literary a tetanus ridden landfill, by design!
it's nothing more than a place to share one-file (one file!) recipe on how to conveniently build a repo from outside the arch tree. yes, is usually how software end up in arch (after much more work)
the fact that idiots (in the original sense of the word in Greek) made automatic installers that fools novices to think those are vetted distro packages doesn't make it so.
https://9to5linux.com/mageia-10-officially-released-with-lin...
I'm so glad the project is still around.