Devuan, April Fools, and self-destruction
An April Fools joke that went sour seems to be at least the proximate cause for a rather large upheaval in the Devuan community. For much of April 1 (or March 31 depending on time zone), the Devuan web site looked like it had been taken over by attackers, which was worrisome to many, but it was all a prank. The joke was clever, way over the top, unprofessional, or some combination of those, depending on who is describing it, but the incident and the threads on the devuan-dev mailing list have led to rancor, resignations, calls for resignations, and more.
Devuan was famously announced in 2014, after the Debian Technical Committee decided on systemd as the default init; Devuan is meant as an alternative Debian without systemd. It has made two releases since its inception, based on the Debian 8.0 ("jessie") and 9.0 ("stretch") releases. Devuan has gone its own way with code names since jessie, however, with "ASCII" as the name for the release based on 9.0 and "Beowulf" for the under-development version based on Debian 10.0 ("buster").
The split with Debian was rather acrimonious, with lots of heated rhetoric on both sides, but since then things have largely settled down. The two distributions have gone their separate ways, kept to their own mailing lists for the most part, and both kept working on their releases, package maintenance, and the like. There have even been some signs of rapprochement between some members of the two communities, in part to ensure that Debian's support for System V init (sysvinit) did not wither and die.
Attackers?
But on March 31, "stanz" posted
a note to devuan-dev noting that the home page was redirected to one that
claimed the site had been "pwned" by a group called the "green hat
hackers" (Wayback
Machine capture). Among the messages on the page, which included ASCII art of the
green hat hackers "logo" and a great deal of promotion for the Gopher protocol,
was: "WE TURNED ALL DEVUAN'S SHITTY WEBSITES INTO PROPER
GOPHERHOLES
". The response from Enzo "KatolaZ" Nicosia, who is
one of the Caretakers of Devuan
and one of its most active contributors,
was even more worrisome:
That set off a bit of a panic on the list along with posts showing up on Reddit and Slashdot. Some immediately suspected it was an April Fool's prank and there were certainly some clues to that (two "prime" numbers were actually Unix timestamps that pointed to April 1 UTC dates in 1970 and 2019). But the fact that Nicosia was prolonging the "joke" (there are a couple of other messages like that in the thread) likely worsened the problem. He did eventually admit to the prank on the list.
That admission led to some technical admiration for the work that Nicosia had done but also to some predictable complaints about the whole affair. Joking about a security incident for a distribution's infrastructure is no laughing matter in many circles. The "joke" explanation could also be covering up a real attack or real attackers might have been able to take advantage of the chaos to actually compromise Devuan in some way. When the Devuan web sites were restored, Nicosia did apologize as part of the restoration announcement:
Pranks have always been an essential part of the hacker culture, and like it or not, Devuan has been brought to all of us by a bunch of passionate hackers working long nights, not by a team of serious white collars in suit and scarf doing 9-to-5.
I will definitely make sure I will not make such a mistake again in the future.
In that message, he also made it clear that no attack had taken place and
that no Devuan
servers were compromised. Another of the Devuan Caretakers, "Evilham", posted a
note to try to calm things down a bit, while acknowledging that the
trustworthiness of Devuan was severely negatively impacted by this action.
Mike Bird suggested
legal action against the perpetrator and for Devuan to completely rebuild
its infrastructure, replacing the existing security tokens and keys.
Bird's larger
point is that Nicosia has "proven himself unworthy of
trust
" so it is hard to be sure his explanation of the incident is
valid. Others reject that, including Evilham, who wrote:
Another of the Caretakers, Denis "Jaromil" Roio, who was also one of the
early leaders and a member of the Veteran Unix Admins (VUA) group that
founded Devuan, also posted
to the list. He explained that it was "the most [skillful] prank I've
witnessed in my life
", that Devuan comes with no warranty, and that
Nicosia has been "by far
the developer making the most significant contributions to this
project
". He found the attacks on Nicosia to be unwarranted. That
did
not pacify Bird, whose aggressive responses eventually led Roio to put him in
the moderation queue. But there were still some other rumblings of
discontent, though many, perhaps most, were mollified by the apology from
Nicosia.
Nicosia steps away
In any case, however, Nicosia posted on April 11 that he was stepping away from the project:
In the last ten days all those [three] things have materialised, to different degrees. Hence, I have decided to withdraw from Devuan and will now take an indefinite leave from the project.
He suggested that readers of his post not reply to it and to spend that time making Devuan better instead. As might be guessed, though, people were unable to resist replying, generally in support of Nicosia, with the occasional complaint about the "attack". But then things took a turn for the worse, when Roio accused yet another Caretaker, Daniel Reurich ("Centurion" or "CenturionDan"), of being the reason behind Nicosia stepping down:
I'm hereby asking CenturionDan out of the caretakers and will initiate a public and democratic process for that. I believe those of the community who want Katolaz back should first and foremost ask CenturionDan to get the hell out of the caretakers group.
For his part, Reurich replied in the thread that he was concerned with how the joke/attack looked to outsiders, particularly businesses that use Devuan:
In the initial communication to my fellow caretakers, I suggested that KatolaZ and Jaromil might offer to resign as caretakers in order to show that we take such matters seriously, and that they alone working in concert pulled the joke of without discussing with the other caretakers.
Reurich continued, saying that he had withdrawn that request for
resignation, though he made some additional comments in the private thread
that "continued to
stoke the fire
". He apologized to the Devuan community and to Roio,
as well as making it clear he would welcome Nicosia back. Reurich concluded
with a plea rather similar to Nicosia's:
Part of the underlying problem here seems to be the tension between
those who are using Devuan for production servers for themselves or their
customers and those who are part of the project, at least partly, to
have fun. Reurich seems to be in the business camp, while Nicosia leans
more toward the fun side of things. Roio seems to be trying to find some
middle ground, but his response
to Reurich did little to bury the hatchet. Roio accepted the apology, but
felt it was insufficient.
In the meantime, he created a new web site that is meant to list those
providing professional, enterprise support for Devuan; it is meant to
"clearly separate community efforts from
commercial ones and establish a clear relationship between the two
",
he said.
After that, things seemingly spiraled out of control. Reurich did an upgrade on the continuous integration host that went awry and his explanation of that seemingly intermingled private messages from the Caretakers' mailing list. Roio took exception to much of what Reurich had said, which led Reurich to consider resigning from the project. Most of the posts in reply to that were supportive of Reurich and of him remaining in the project, though Roio's response was not particularly welcoming to that idea.
There is a lot of drama, which, for the most part, Nicosia has stayed out of (as he said that he planned to do when he stepped away). He has popped up a time or two, mostly to suggest participants in the threads find better things to do with their time—hopefully by working on Devuan. But the project is already down one Caretaker and another may be on his way out, which is not likely to be good for the project. It is a bit ironic that an action meant to put a smile on people's faces—however misguided that may have been—has led to something of a crisis for Devuan.
Posted Apr 24, 2019 22:24 UTC (Wed)
by flussence (guest, #85566)
[Link] (44 responses)
Maybe this is all part of the show, and after another few years of unproductive flaming we'll end up with a Devuan fork that only has a gopher net presence?
Posted Apr 24, 2019 23:02 UTC (Wed)
by mgk (guest, #74833)
[Link] (43 responses)
Posted Apr 24, 2019 23:23 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (3 responses)
Posted Apr 25, 2019 0:31 UTC (Thu)
by mpr22 (subscriber, #60784)
[Link] (1 responses)
Neither of these seem particularly relevant to the incident we're discussing.
Posted Apr 25, 2019 1:06 UTC (Thu)
by rgmoore (✭ supporter ✭, #75)
[Link]
I think this was probably a mistake, and Cyberax actually meant a CFAA (Computer Fraud and Abuse Act) violation, which would make more sense.
Posted Apr 25, 2019 15:32 UTC (Thu)
by rweikusat2 (subscriber, #117920)
[Link]
Posted Apr 25, 2019 0:33 UTC (Thu)
by mpr22 (subscriber, #60784)
[Link] (33 responses)
The term "prank" covers a range of activities; some things that one person perceives as a prank, another may instead perceive as vandalism, assault, extortion, fraud, or an assortment of other such unpleasant terms.
One is entitled to regard any particular prank as unworthy of censure, but indignation at the very concept of a person being censured for pulling a prank seems... misguided.
Posted Apr 25, 2019 3:38 UTC (Thu)
by nivedita76 (subscriber, #121790)
[Link] (32 responses)
Posted Apr 25, 2019 4:22 UTC (Thu)
by mgb (guest, #3226)
[Link] (30 responses)
I am "that Bird guy".
I suggested that Devuan business users should consult their own attorneys as to their own liability if they continued to use Devuan after Devuan refused to audit or rebuild their compromised servers.
We expected it would take a long time to move all our systems from Devuan to Debian but it turns out that Debian now has all the sysvinit support we need in stretch-backports and buster. As Devuan consists of little more than a few changes to a few Debian packages we were able to switch in a few hours with about as much effort as it takes to roll out an average day's security updates.
Nevertheless we remain grateful to the people who undertook the substantial initial effort to create Devuan and to maintain it over that period of years when Debian's sysvinit support was broken.
As of course we are also grateful to all free software developers and packagers.
Posted Apr 25, 2019 5:46 UTC (Thu)
by lkundrak (subscriber, #43452)
[Link]
Thanks for the laughing time for those of us, who didn't wish the Devuan project any luck from the beginning.
Posted Apr 25, 2019 8:43 UTC (Thu)
by nilsmeyer (guest, #122604)
[Link]
I'm sure they're at least entitled to their money back.
Posted Apr 25, 2019 8:53 UTC (Thu)
by dgm (subscriber, #49227)
[Link] (4 responses)
That said, I think this was blown way out of proportion. A joke is a joke, it's what April's Fools is about. Pretending that a joke can cover some kind of security problem just shows distrust for the developers. When this is the case, nothing Devuan could do will make for this inherent lack of trust. All the talk about "compromised" servers just shows that lack of trust, unless you have any other indication that there was an attack.
To sum up, if you don't trust the developers, don't use their software. And if you cannot tolerate a bad joke, don't go near human beings.
Posted Apr 25, 2019 9:58 UTC (Thu)
by ovitters (guest, #27950)
[Link] (1 responses)
The only thing I disliked was the attitude this joke brought. Meaning: "evil people from XXX are out to get Devuan". Too much attention seeking action IMO. On other hand, most April Fools jokes are utterly boring and me too type actions.
Security related, the Riot.im incident is way crazier. Compromised, restoration, then another compromise. Then the old Android app is purposely broken, preventing any migration from the old app to the new app. Not cool!
Posted Apr 25, 2019 14:54 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Apr 25, 2019 10:33 UTC (Thu)
by zdzichu (subscriber, #17118)
[Link]
Posted Apr 25, 2019 11:33 UTC (Thu)
by excors (subscriber, #95769)
[Link]
Not all jokes are equivalent, and April Fools' Day is specifically about jokes that would be considered both unfunny and unacceptably disruptive at any other time of year. That's why they get relegated to a single day - if they were actually good jokes then they could be performed at any time. If a joke isn't intended to be good, maybe it shouldn't be performed at all.
Posted Apr 25, 2019 11:16 UTC (Thu)
by pizza (subscriber, #46)
[Link] (1 responses)
Which raises the question -- For an end-user, what exactly is Devuan's value proposition over Debian?
...And as a follow-up, how much of that value (and trust in Devuan's collective professionalism) remains after this juvenile stunt?
Posted Apr 25, 2019 23:49 UTC (Thu)
by sml (guest, #75391)
[Link]
The major value is that the noisy anti-systemd crowd has removed themselves from Debian mailing lists in favour of their own little echo chamber. This removes a major distraction from Debian and results in more time to concentrate on fixing bugs.
Posted Apr 25, 2019 15:28 UTC (Thu)
by rweikusat2 (subscriber, #117920)
[Link] (17 responses)
I mean, "we're the hackers using green monochrome text monitors and have taken over the web to replace it with gopher, as it was always meant to be"? On April 1st?
- love to have tried to access any of this via gopher -
Posted Apr 25, 2019 16:14 UTC (Thu)
by mgb (guest, #3226)
[Link] (15 responses)
Several of Devuan's own caretakers (core developers) did not know of the stunt, believed that Devuan's servers had indeed been hacked, were unable to access the hacked servers, and disconnected as much infrastructure as they could from the the hacked servers.
For businesses using Devuan to believe likewise does not seem unreasonable or overreaction.
The breaking point for us was when Devuan refused to audit or rebuild the compromised servers. Even if we trusted the prankster we cannot be sure that some black hat did not pwn them using some vulnerability in the temporary stunt software.
Posted Apr 25, 2019 17:19 UTC (Thu)
by rweikusat2 (subscriber, #117920)
[Link] (1 responses)
Posted Apr 26, 2019 8:55 UTC (Fri)
by nilsmeyer (guest, #122604)
[Link]
Posted Apr 25, 2019 17:50 UTC (Thu)
by augustz (guest, #37348)
[Link] (4 responses)
Did you offer to pay for the audit of the system you felt was necessary or do it yourself, or was this a demand being made on a group of volunteers?
If you have this high level security need / worry in your business - I might suggest using a more commercially oriented / backed distribution.
It's seems a bit unfair to threaten a group of volunteers with jail time after choosing to use something they provided for free.
Posted Apr 25, 2019 19:00 UTC (Thu)
by mgb (guest, #3226)
[Link] (3 responses)
One does not demand of F/LOSS volunteers.
If one no longer has an adequate level of trust one stops using that software.
Posted Apr 26, 2019 11:40 UTC (Fri)
by nix (subscriber, #2304)
[Link] (2 responses)
> I know nothing of Italian law but whether or not the incident
This seems inconsistent with your position here, that just stopping using it is enough.
Posted Apr 26, 2019 12:30 UTC (Fri)
by mgb (guest, #3226)
[Link] (1 responses)
Devuan servers were compromised. Devuan devs were locked out. Devuan devs believed their servers had been hacked. Devuan devs took steps to disconnect other servers from the compromised servers.
What happened next was entirely Devuan's choice. They could have sought advice from their lawyers or the police. They could have audited or rebuilt their servers to ensure their integrity. Their choice was to do nothing.
The choice for Devuan users is different. If they no longer trust Devuan they can stop using it. That is the choice we made.
Everyone makes their own choices. Choices have consequences.
Posted May 22, 2019 8:08 UTC (Wed)
by rickmoen (subscriber, #6943)
[Link]
No. You have long been aware of this claim being flat-out incorrect, but keep repeating it. We were both there. (I'm not a Devuan Project insider, but am a longtime sympathetic participant with no horse in this race otherwise, as you probably recall.) As you are fully aware, exactly zero Devuan servers were compromised. One of the caretaker pretended, as the substance of a meticulously implemented, hilarious, and deeply unwise prank that they had been, and then revealed the prank within the customary one-day period, and then apologised for the unwise choice of prank framing (inside a supposed security breach). The biggest damage was then done by, to be blunt, you and a few other people who flew off the handle and did the Internet-maximal-noise dance at great length and to stupefying effect. If you were hoping to be thanked for that, I fear you will be a long time waiting. Rick Moen
Posted Apr 25, 2019 18:17 UTC (Thu)
by nivedita76 (subscriber, #121790)
[Link] (7 responses)
Posted Apr 25, 2019 20:40 UTC (Thu)
by edomaur (subscriber, #14520)
[Link] (6 responses)
The whole point here is that after any event like that, you need to do a security assessment, otherwise how can you be _REALLY_ sure that nothing is amiss ? Today, Linux distros are somewhat central in the Internet world. If one of those is not able to prove that it has really not been compromised, then it is only a toy and not a tool.
Posted Apr 26, 2019 17:21 UTC (Fri)
by rweikusat2 (subscriber, #117920)
[Link] (3 responses)
A member of the core team of some distribution temporarily replaced a web page/ set of web pages on some set of servers belonging to the distribution. This happened on April 1st, was meant to be an April Fools joke and was pretty clearly recognizable as such due to the nature of the replacement page (efficient text-only gopher vs the bloated WWW being a holy war of the 1990s --- do we perhaps need a warning sign "You may encounter people over 35 here. If they do something you absolutely don't understand, please consider asking about it before panicking and jumping to wild conclusion"?). Revealing this as the joke it was supposed to be ought to be entirely sufficient to 'prove' nothing was compromised here.
Posted Apr 26, 2019 19:00 UTC (Fri)
by pizza (subscriber, #46)
[Link] (2 responses)
There seem to be two logical explanations:
* They were genuinely (and cleverly) hacked, and are lying to cover it up while trying to restore services
Either way, the way it's been handled does not exactl instil confidence in Devuan's competence or professionalism, and I would expect "Veteran Unix Administrators" to be quite aware that those qualities are high on the list of "reasons to use Distribution X for anything remotely important"
Posted Apr 26, 2019 20:07 UTC (Fri)
by rweikusat2 (subscriber, #117920)
[Link] (1 responses)
Posted Apr 26, 2019 22:24 UTC (Fri)
by pizza (subscriber, #46)
[Link]
Posted Apr 26, 2019 17:36 UTC (Fri)
by nivedita76 (subscriber, #121790)
[Link]
Posted Apr 26, 2019 17:40 UTC (Fri)
by nivedita76 (subscriber, #121790)
[Link]
Posted Apr 29, 2019 10:06 UTC (Mon)
by jezuch (subscriber, #52988)
[Link]
Posted Apr 25, 2019 16:58 UTC (Thu)
by jhhaller (guest, #56103)
[Link] (1 responses)
Rather than asking a lawyer, asking your insurance broker is probably a better solution, as they are in the business of assessing risk and pricing it. If you can't get insurance, they will tell you why, and what you can do to be insurable. Alternatively, if you can't afford insurance, but have no substantial assets, it probably doesn't matter, as no one will sue an entity where there's no pot of gold at the end of the rainbow. The lawyers are more likely to say your liability is limitless, and so will your legal expense costs. A lawyer will never say there is no risk, as that opens them up to liability, and they don't want the cost of their Errors and Omissions insurance policy to go up.
Posted Apr 26, 2019 11:42 UTC (Fri)
by nix (subscriber, #2304)
[Link]
Posted Apr 25, 2019 19:18 UTC (Thu)
by jschrod (subscriber, #1646)
[Link]
Please note: April 1 is over.
Please don't publish your bad jokes here on lwn.net. They're not funny.
Posted Apr 26, 2019 8:56 UTC (Fri)
by nilsmeyer (guest, #122604)
[Link]
People who threaten lawsuits usually can't afford an attorney.
Posted Apr 25, 2019 14:35 UTC (Thu)
by bferrell (subscriber, #624)
[Link]
Pranks that go on for a full 24 hours by persons in a position of trust who ACT as if it were a full on breach... That's a problem on a number of levels that I would hope don't need actual enumeration.
Calls for liability checks... Well, those should have been done by commercial users, just in general. The "prank" shouldn't be needed as a trigger for that business activity and using the incident as a "weapon, is probably not ok, in some other ways too.
All of it implies there may be larger issues in play that, by the way it's played out, have highlighted a threat to the project.
Posted Apr 25, 2019 15:05 UTC (Thu)
by raven667 (subscriber, #5198)
[Link] (3 responses)
Something can only be considered a prank if the target thinks its funny, if they don't laugh then it's not a prank, it's just being an a**hole. The feelings of the person doing the "prank" and whether they consider it OK don't matter as much as the feelings of the person on the receiving end.
So go ahead, do fun pranks! But, know your audience first and plan accordingly, take responsibility when you get it wrong.
Posted Apr 25, 2019 19:56 UTC (Thu)
by rgmoore (✭ supporter ✭, #75)
[Link] (1 responses)
I disagree strongly. An important use of pranks is a way for the meek and powerless to puncture the overinflated egos of the powerful and obnoxious. That type of prank is rarely appreciated by its victim, and it can be quite nasty. That doesn't mean it isn't a prank; it's just a mean spirited one.
Posted Apr 25, 2019 21:16 UTC (Thu)
by roc (subscriber, #30627)
[Link]
Posted Apr 26, 2019 8:13 UTC (Fri)
by mvdwege (guest, #113583)
[Link]
Posted Apr 25, 2019 9:35 UTC (Thu)
by gwojcieszczuk (guest, #93675)
[Link]
Posted Apr 25, 2019 16:08 UTC (Thu)
by perennialmind (guest, #45817)
[Link] (15 responses)
Unless that was the message? "Putting this stuff into production is crazy – please don't do that"?
Posted Apr 25, 2019 20:13 UTC (Thu)
by roc (subscriber, #30627)
[Link] (13 responses)
A responsible admin for production systems can't just take the approach "I think this apparent breach is *probably* a prank therefore I am going to do nothing".
A responsible project owner would know this and not create such a dilemma for their users.
Demonizing the concerns of responsible admins by portraying them as the wrong side of the false dichotomy of "passionate hackers working long nights" vs "team of serious white collars in suit and scarf doing 9-to-5" is even more contemptful of those users. (I particularly dislike this trope --- some very skilled, very passionate hackers have families and other responsibilities that make it necessary and right to limit their work hours.)
Posted Apr 25, 2019 20:35 UTC (Thu)
by rweikusat2 (subscriber, #117920)
[Link] (12 responses)
Posted Apr 25, 2019 20:47 UTC (Thu)
by perennialmind (guest, #45817)
[Link] (1 responses)
Posted Apr 25, 2019 20:54 UTC (Thu)
by rweikusat2 (subscriber, #117920)
[Link]
Posted Apr 25, 2019 21:13 UTC (Thu)
by roc (subscriber, #30627)
[Link] (9 responses)
Posted Apr 26, 2019 17:44 UTC (Fri)
by nivedita76 (subscriber, #121790)
[Link] (8 responses)
Posted Apr 26, 2019 19:13 UTC (Fri)
by perennialmind (guest, #45817)
[Link]
Conscientious admins come in small scale shops and solo acts too. Sure, beyond-the-basics, fancy intrusion detection systems are available for those who can devote the necessary resources for defense in depth. But even for them, given the prevalence of scrupulous, painstaking curation in distros like Debian, RedHat, and others, why consider Devuan when such carelessness is on display?
Message matters. The message here: toy, not tool.
Posted Apr 26, 2019 19:29 UTC (Fri)
by mgb (guest, #3226)
[Link] (5 responses)
Posted Apr 30, 2019 14:29 UTC (Tue)
by nix (subscriber, #2304)
[Link] (4 responses)
Actual compromises require a different set of responses to terribly ill-judged poor jokes, and complaining that post-compromise responses were not implemented in response to a really badly-judged prank is like complaining that release announcements are not properly sent out after a compromise (equally inappropriate, because a compromise is not a software release).
Posted Apr 30, 2019 14:57 UTC (Tue)
by mgb (guest, #3226)
[Link] (2 responses)
ONE Devuan admin compromised some Devuan servers. All other Devuan admins and devs were locked out, thought the attack was real, reported that Devuan had been pwned, and were doing what they could to isolate other Devuan infrastructure from the compromised systems.
This continued for 24 hours.
The "prankster" then left the project but Devuan management refused to audit or rebuild the compromised servers and simply declared them uncompromised.
To this date nobody knows whether the "prankster" accidentally or deliberately left any compromises, or whether unrelated black hats were able to gain access during the compromise.
The "prank" was stupid but Devuan could have recovered from it. The management response was inexcusable.
Posted May 2, 2019 13:41 UTC (Thu)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted May 4, 2019 0:13 UTC (Sat)
by anselm (subscriber, #2796)
[Link]
Remember that these are the people who think it's a good idea to fork an entire Linux distribution just to get rid of an inconsequential library they don't like. Personally I'm not in the least surprised.
Posted Apr 30, 2019 17:07 UTC (Tue)
by rahvin (guest, #16953)
[Link]
You might still trust that person, but anyone who sensibly relies on those services can't trust that nothing it compromised without an outside audit. That's just a rule of the business world. The only question that I see is, Is Devuan a professional distribution with standards or is it a toy where a lockout like this can be undertaken without an external audit to verify it was just a joke.
The person who instituted the joke at this point should not be trusted, they locked out the entire administration staff. Maybe you are having difficulty seeing this outside point of view because you know and trust the person involved. Ask yourself this question:
If you worked at a company with a handful of admin's and one of them locked everyone else out of the servers and pretended they'd been externally compromised for an extended period of time how would that go down? Would the company laugh it off as a good joke?
Posted Apr 26, 2019 22:21 UTC (Fri)
by roc (subscriber, #30627)
[Link]
Posted Apr 26, 2019 13:47 UTC (Fri)
by hunger (subscriber, #36242)
[Link]
I would expect my distribution to fix central infrastructure first and discuss consequences afterwards.
Posted Apr 25, 2019 17:53 UTC (Thu)
by bigon (subscriber, #57617)
[Link] (3 responses)
Posted Apr 25, 2019 19:33 UTC (Thu)
by rweikusat2 (subscriber, #117920)
[Link]
[*] Devuan being the last OSS project I cared for beyond "convenient software limestone quarry".
Posted Apr 26, 2019 13:02 UTC (Fri)
by asbesto (guest, #131656)
[Link] (1 responses)
All this... for an April's fool. (The BEST April's fool EVER, IMHO)
MEH
You people don't understand the true spirit beyond Devuan.
I'm so sorry for that :( Eventually, you will get it. Eventually not. We don't care.
Because Devuan is skyrocketing. Get a life! LAUGH! and CODE! LOVE!
Posted Apr 29, 2019 10:07 UTC (Mon)
by bigon (subscriber, #57617)
[Link]
What I understand is that FOSS is based on trust. Start claiming that your infrastructure has been hacked is a breach of this trust. So, sure, distributions have no or limited legal liabilities, but having users means that you have people who trust and/or rely on your work.
> So much happiness and joy and freedom...
I always considered that there is a difference between freedom and doing irrational stuff...
But in the end I also don't care about Devuan, so....
Posted Apr 29, 2019 22:16 UTC (Mon)
by amarao (guest, #87073)
[Link]
But I feel that drama disto got it's own queen time.
Posted May 2, 2019 12:32 UTC (Thu)
by ale2018 (guest, #128727)
[Link]
And, I guess, you neither say "first numbers". Hm...
Posted May 3, 2019 2:00 UTC (Fri)
by julian67 (guest, #99845)
[Link] (1 responses)
Anyhow, I'm not a convert. I found systemd painful and frustrating as it got integrated into Debian testing but once it got mature I really have no complaints. As a boring and small time end user I like it. Even though it was a little like learning esperanto at first I am now truly grateful that I will never have to write or understand another init script. I like the logging options too. For what it's worth I run multiple Debian (and armbian) systems, some of which serve as audio and video streamers, and while I'm very happy with systemd I prefer plain old ALSA and an appropriate ~/.asound.conf over pulseaudio, so I think I can claim not to be an undiscriminating consumer of all things Poettering/Red Hat/<insert wicked name here>.
Posted Jun 4, 2019 7:32 UTC (Tue)
by spongy (guest, #59953)
[Link]
Instead, were I the CSO at any site running Devuan, I would quietly(*) start a migration off of all of that gear running Devuan at my facility. I would install an entirely new distro, one system at a time. And I would start using file integrity systems like Tripwire, integrit or Aide to monitor any and all changes to the release software base of my new distro.
(*) quietly, meaning keep the new file monitoring system absolutely private and quiet. That way, if any insiders unwittingly attempt to poison your new software base, you will be able to identify those persons and deal with them appropriately.
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
The only thing I disliked was the attitude this joke brought. Meaning: "evil people from XXX are out to get Devuan".
I don't see why this was a surprise. It's exactly their response to everything else that impinges on Devuan, ever.
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
> should be referred for criminal prosecution is a question you
> should already be discussing with your lawyers or the police.
Devuan, April Fools, and self-destruction
Devuan servers were compromised.
Devuan, April Fools, and self-destruction
rick@linuxmafia.com
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
* This was a prank that was made without any heads-up to other core team members, and was taken _way_ too far, to the point where weeks later services still aren't fully restored.
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
your best bet is to switch to Microsoft products, as you are likely to be able to get an indemnification agreement
Really? With Microsoft, as with any other large software company, you're as likely to be able to get them to indemnify you against flaws as you are to get them to ship you a live unicorn. Small software companies that you have over the barrel (as by far their largest customer) might be convinced to do it, as the last alternative before an outright takeover, but anyone else? Not a chance.
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Something can only be considered a prank if the target thinks its funny
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
'
When a distro's own sysadmins and developers are locked out of their own compromised servers I would say that is not a good sign.
You keep calling this a compromise, yet the very article you are responding to says, in the second line:
Devuan, April Fools, and self-destruction
the Devuan web site looked like it had been taken over by attackers, which was worrisome to many, but it was all a prank
That is to say, it was not a compromise, because the people who openly stated that they took it offline were Devuan's own admins. If you think this was a compromise, then I recommend you go to the island of San Seriffe for your next holiday, because that clearly exists as well. This whole prank was a terrible idea, but I see no more reason to believe Devuan was compromised after it than before it. (I do see it as a reason to believe that Devuan's administrators are not people I would trust to administer a public resource, and thus that it is more likely that it was compromised long ago than I had last month -- but this prank is not itself a sign of a systems compromise happening at the same time.)
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
ONE Devuan admin compromised some Devuan servers. All other Devuan admins and devs were locked out, thought the attack was real, reported that Devuan had been pwned, and were doing what they could to isolate other Devuan infrastructure from the compromised systems.
That's something I hadn't grasped, and makes this much closer to an actual insider attack by a single privileged entity. It's as much an attack as, say, an admin wiping systems before he's fired (though a less destructive one). My head is full of WTF that anyone could possibly have thought this a good idea for even a microsecond.
Devuan, April Fools, and self-destruction
My head is full of WTF that anyone could possibly have thought this a good idea for even a microsecond.
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
MIT doesn't teach anything to all of you? In all those years? :)
So much happiness and joy and freedom...
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction