Vandalizing Open-Source Drivers?

[Michael]

He is VERY lucky not being in some corporate entity. Sorry won't be enough - they'd claim $100 Bln compensation from him. Bad moral mood my *** (sorry).

What are you talking about? He is one of the lead X devs for Red Hat...

[dfx.]

"I've disabled my root accounts on the fd.o machines. I don't trust me with them anymore either." (c)

at least that is good thinking on his part or otherwise he would be eaten alive. maaan, it's a bad news, especially after Novell being dismembered by shady buyers and not bought by Vmware. we really lacking open graphic stack devs. i hope that RH will not screw him and he will stop drinking shit and take some good long sleep. several times. and be back in business, if not as maintaner but as dev, at least.
damn, trust is your main measure of authority in community. it's bad to fuck it up.

[tettamanti]

The relief is at least that git is quite good at detecting this. When writing git Linus Torvalds wanted to ensure that malicious 3rd party cannot change anything but the HEAD (which is easy to spot).

There's no magic wand shipped with git If you known the sha1 of a given commit you can check the entire history from that point back to day zero (since the IDs of the parents contribute to the hash of the commit); this basically ensure the integrity of the repository (short of a preimage attack on sha1). However this case wasn't an attempt to modify an existing commit, rather it was a "legit" commit (though on separate branch) that was only spotted by a human. Now, the message was clearly suspicious but through direct access to the repo you could sneak in a commit that looks plausible (e.g. maybe coming from another trusted developer) but contains malicious code; sure git push will warn you but you might overlook that change (for example when pulling stuff at work I don't inspect closely commits coming from trusted colleagues - though I do review stuff from interns or students).
Morale of the story: if an untrusted party has direct access to the repo it's game over

[Michael]

Looks like Daniel Stone was involved too.

[libv]

Looks like Daniel Stone was involved too.

Yeah, this was most definitely not a simple prank, as some people like to claim.

[crazycheese]

What are you talking about? He is one of the lead X devs for Red Hat...

Sorry, I thought he was Novell employee. But why would anyone possibly do that?

[libv]

Sorry, I thought he was Novell employee. But why would anyone possibly do that?

Apparently people only would do that if they worked for novell?

[BlackStar]

Apparently people only would do that if they worked for novell?

Yes they're like, the devil and stuff.

[crazycheese]

Apparently people only would do that if they worked for novell?

My mindflow was: company sold -> very probably fired -> bad mood -> some personal graffiti

But, if this is done by RH, the only thing that comes to my mind is payed sabotage by 3rd party. Someone who wishes public trust to RH, its projects, quality of its work and its employees to go down in small to mid timeframe. Perhaps being uncovered after some time was also part of the plan.

Personally, I cannot imagine an adult starting doing baby-fun to others just because he has bad mood. Salary, rep. as pro.(carrier) , rep. as human(friend circle) - setting all these on fire just because he had bad mood. No possible way, unless something covered his mind(drugs etc).

[crazycheese]

if an untrusted party has direct access to the repo it's game over

Since humans are not open-source clear piece of paper, anyone can go from trusted to untrusted. I think the moral is more like: Trust does not XOR verification.