Page 1 of 6 123 ... LastLast
Results 1 to 10 of 52

Thread: Vandalizing Open-Source Drivers?

  1. #1
    Join Date
    Jan 2007
    Posts
    14,815

    Default Vandalizing Open-Source Drivers?

    Phoronix: Vandalizing Open-Source Drivers?

    Somebody with root access to the FreeDesktop.org server decided to vandalize the RadeonHD graphics driver in this Git commit. The make files were deleted and replaced with "It's dead, Jim" and a Git commit message line of "PERHAPS BONGHITS WILL FIX MY MAKEFILE." The supplied email address was "root@jerkcity.com."..

    http://www.phoronix.com/vr.php?view=ODgxNw

  2. #2
    Join Date
    Jun 2009
    Posts
    2,929

    Default

    That was remarkably unnecessary.

  3. #3
    Join Date
    Mar 2009
    Posts
    141

    Default

    I lol'd. Should've kept it.

  4. #4
    Join Date
    Sep 2010
    Posts
    146

    Default

    Interestingly, the email address comes from the website of Jerkcity. Jerkcity is a webcomic notable enough to have a Wikipedia page. One of the characters is named Spigot (the name of the committer). Spigot is even based on one of the authors of the strip.

    Of course, it's likely that the vandal has nothing to do with Jerkcity, and simply spoofed his name and email address as a bad joke. He's already shown he's very good at covering up his tracks - as Luc noted, he disabled the update hook before his commit and re-enabled it afterward so that no email would be sent to the mailing list.

  5. #5
    Join Date
    May 2007
    Location
    Nurnberg.
    Posts
    323

    Default

    Quote Originally Posted by Plombo View Post
    Interestingly, the email address comes from the website of Jerkcity. Jerkcity is a webcomic notable enough to have a Wikipedia page. One of the characters is named Spigot (the name of the committer). Spigot is even based on one of the authors of the strip.

    Of course, it's likely that the vandal has nothing to do with Jerkcity, and simply spoofed his name and email address as a bad joke. He's already shown he's very good at covering up his tracks - as Luc noted, he disabled the update hook before his commit and re-enabled it afterward so that no email would be sent to the mailing list.
    The real question is: who would trust his code to fd.o after this?

  6. #6
    Join Date
    Sep 2009
    Location
    Edinburgh, UK
    Posts
    53

    Default

    Quote Originally Posted by libv View Post
    The real question is: who would trust his code to fd.o after this?
    The relief is at least that git is quite good at detecting this. When writing git Linus Torvalds wanted to ensure that malicious 3rd party cannot change anything but the HEAD (which is easy to spot).

  7. #7
    Join Date
    Sep 2009
    Location
    Edinburgh, UK
    Posts
    53

    Default

    And even if rebasing published repositories is not recommended, in this case it is probably a good idea, there is no need to tolerate vandalism even if the project is not thriving.

  8. #8
    Join Date
    Apr 2010
    Posts
    1,946

    Default

    Quote Originally Posted by libv View Post
    The real question is: who would trust his code to fd.o after this?
    I think the answer more about improving security based on happened attack vector(hacker way) rather than panic (girl way) or inductive criticism(bad politician way).

    The event is a good training exercise for security.

  9. #9
    Join Date
    May 2007
    Location
    Nurnberg.
    Posts
    323

    Default

    Quote Originally Posted by crazycheese View Post
    I think the answer more about improving security based on happened attack vector(hacker way) rather than panic (girl way) or inductive criticism(bad politician way).

    The event is a good training exercise for security.
    This is not a security thing, it is a trust thing here. Those people with root access to the fd.o servers should be fully trusted, if not, they should not have such access rights. This event here clearly shows that one person should not have been given access rights, even when this person might have had this since right after the xfree86 fork.

  10. #10
    Join Date
    Apr 2010
    Posts
    1,946

    Default

    Quote Originally Posted by libv View Post
    This is not a security thing, it is a trust thing here. Those people with root access to the fd.o servers should be fully trusted, if not, they should not have such access rights. This event here clearly shows that one person should not have been given access rights, even when this person might have had this since right after the xfree86 fork.
    We have a security talk here
    Trust is a weakness. (C) introversion

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •