Originally posted by crazycheese
View Post
Announcement
Collapse
No announcement yet.
Vandalizing Open-Source Drivers?
Collapse
X
-
Michael Larabel
https://www.michaellarabel.com/
-
"I've disabled my root accounts on the fd.o machines. I don't trust me with them anymore either." (c)
at least that is good thinking on his part or otherwise he would be eaten alive. maaan, it's a bad news, especially after Novell being dismembered by shady buyers and not bought by Vmware. we really lacking open graphic stack devs. i hope that RH will not screw him and he will stop drinking shit and take some good long sleep. several times. and be back in business, if not as maintaner but as dev, at least.
damn, trust is your main measure of authority in community. it's bad to fuck it up.
Comment
-
Originally posted by stikonas View PostThe relief is at least that git is quite good at detecting this. When writing git Linus Torvalds wanted to ensure that malicious 3rd party cannot change anything but the HEAD (which is easy to spot).If you known the sha1 of a given commit you can check the entire history from that point back to day zero (since the IDs of the parents contribute to the hash of the commit); this basically ensure the integrity of the repository (short of a preimage attack on sha1). However this case wasn't an attempt to modify an existing commit, rather it was a "legit" commit (though on separate branch) that was only spotted by a human. Now, the message was clearly suspicious but through direct access to the repo you could sneak in a commit that looks plausible (e.g. maybe coming from another trusted developer) but contains malicious code; sure git push will warn you but you might overlook that change (for example when pulling stuff at work I don't inspect closely commits coming from trusted colleagues - though I do review stuff from interns or students).
Morale of the story: if an untrusted party has direct access to the repo it's game over
Comment
-
Comment
-
Originally posted by libv View PostApparently people only would do that if they worked for novell?
But, if this is done by RH, the only thing that comes to my mind is payed sabotage by 3rd party. Someone who wishes public trust to RH, its projects, quality of its work and its employees to go down in small to mid timeframe. Perhaps being uncovered after some time was also part of the plan.
Personally, I cannot imagine an adult starting doing baby-fun to others just because he has bad mood. Salary, rep. as pro.(carrier) , rep. as human(friend circle) - setting all these on fire just because he had bad mood. No possible way, unless something covered his mind(drugs etc).
Comment
Comment