Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Posted Apr 25, 2019 3:38 UTC (Thu) by nivedita76 (subscriber, #121790)In reply to: Devuan, April Fools, and self-destruction by mpr22
Parent article: Devuan, April Fools, and self-destruction
Posted Apr 25, 2019 4:22 UTC (Thu)
by mgb (guest, #3226)
[Link] (30 responses)
I am "that Bird guy".
I suggested that Devuan business users should consult their own attorneys as to their own liability if they continued to use Devuan after Devuan refused to audit or rebuild their compromised servers.
We expected it would take a long time to move all our systems from Devuan to Debian but it turns out that Debian now has all the sysvinit support we need in stretch-backports and buster. As Devuan consists of little more than a few changes to a few Debian packages we were able to switch in a few hours with about as much effort as it takes to roll out an average day's security updates.
Nevertheless we remain grateful to the people who undertook the substantial initial effort to create Devuan and to maintain it over that period of years when Debian's sysvinit support was broken.
As of course we are also grateful to all free software developers and packagers.
Posted Apr 25, 2019 5:46 UTC (Thu)
by lkundrak (subscriber, #43452)
[Link]
Thanks for the laughing time for those of us, who didn't wish the Devuan project any luck from the beginning.
Posted Apr 25, 2019 8:43 UTC (Thu)
by nilsmeyer (guest, #122604)
[Link]
I'm sure they're at least entitled to their money back.
Posted Apr 25, 2019 8:53 UTC (Thu)
by dgm (subscriber, #49227)
[Link] (4 responses)
That said, I think this was blown way out of proportion. A joke is a joke, it's what April's Fools is about. Pretending that a joke can cover some kind of security problem just shows distrust for the developers. When this is the case, nothing Devuan could do will make for this inherent lack of trust. All the talk about "compromised" servers just shows that lack of trust, unless you have any other indication that there was an attack.
To sum up, if you don't trust the developers, don't use their software. And if you cannot tolerate a bad joke, don't go near human beings.
Posted Apr 25, 2019 9:58 UTC (Thu)
by ovitters (guest, #27950)
[Link] (1 responses)
The only thing I disliked was the attitude this joke brought. Meaning: "evil people from XXX are out to get Devuan". Too much attention seeking action IMO. On other hand, most April Fools jokes are utterly boring and me too type actions.
Security related, the Riot.im incident is way crazier. Compromised, restoration, then another compromise. Then the old Android app is purposely broken, preventing any migration from the old app to the new app. Not cool!
Posted Apr 25, 2019 14:54 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Apr 25, 2019 10:33 UTC (Thu)
by zdzichu (subscriber, #17118)
[Link]
Posted Apr 25, 2019 11:33 UTC (Thu)
by excors (subscriber, #95769)
[Link]
Not all jokes are equivalent, and April Fools' Day is specifically about jokes that would be considered both unfunny and unacceptably disruptive at any other time of year. That's why they get relegated to a single day - if they were actually good jokes then they could be performed at any time. If a joke isn't intended to be good, maybe it shouldn't be performed at all.
Posted Apr 25, 2019 11:16 UTC (Thu)
by pizza (subscriber, #46)
[Link] (1 responses)
Which raises the question -- For an end-user, what exactly is Devuan's value proposition over Debian?
...And as a follow-up, how much of that value (and trust in Devuan's collective professionalism) remains after this juvenile stunt?
Posted Apr 25, 2019 23:49 UTC (Thu)
by sml (guest, #75391)
[Link]
The major value is that the noisy anti-systemd crowd has removed themselves from Debian mailing lists in favour of their own little echo chamber. This removes a major distraction from Debian and results in more time to concentrate on fixing bugs.
Posted Apr 25, 2019 15:28 UTC (Thu)
by rweikusat2 (subscriber, #117920)
[Link] (17 responses)
I mean, "we're the hackers using green monochrome text monitors and have taken over the web to replace it with gopher, as it was always meant to be"? On April 1st?
- love to have tried to access any of this via gopher -
Posted Apr 25, 2019 16:14 UTC (Thu)
by mgb (guest, #3226)
[Link] (15 responses)
Several of Devuan's own caretakers (core developers) did not know of the stunt, believed that Devuan's servers had indeed been hacked, were unable to access the hacked servers, and disconnected as much infrastructure as they could from the the hacked servers.
For businesses using Devuan to believe likewise does not seem unreasonable or overreaction.
The breaking point for us was when Devuan refused to audit or rebuild the compromised servers. Even if we trusted the prankster we cannot be sure that some black hat did not pwn them using some vulnerability in the temporary stunt software.
Posted Apr 25, 2019 17:19 UTC (Thu)
by rweikusat2 (subscriber, #117920)
[Link] (1 responses)
Posted Apr 26, 2019 8:55 UTC (Fri)
by nilsmeyer (guest, #122604)
[Link]
Posted Apr 25, 2019 17:50 UTC (Thu)
by augustz (guest, #37348)
[Link] (4 responses)
Did you offer to pay for the audit of the system you felt was necessary or do it yourself, or was this a demand being made on a group of volunteers?
If you have this high level security need / worry in your business - I might suggest using a more commercially oriented / backed distribution.
It's seems a bit unfair to threaten a group of volunteers with jail time after choosing to use something they provided for free.
Posted Apr 25, 2019 19:00 UTC (Thu)
by mgb (guest, #3226)
[Link] (3 responses)
One does not demand of F/LOSS volunteers.
If one no longer has an adequate level of trust one stops using that software.
Posted Apr 26, 2019 11:40 UTC (Fri)
by nix (subscriber, #2304)
[Link] (2 responses)
> I know nothing of Italian law but whether or not the incident
This seems inconsistent with your position here, that just stopping using it is enough.
Posted Apr 26, 2019 12:30 UTC (Fri)
by mgb (guest, #3226)
[Link] (1 responses)
Devuan servers were compromised. Devuan devs were locked out. Devuan devs believed their servers had been hacked. Devuan devs took steps to disconnect other servers from the compromised servers.
What happened next was entirely Devuan's choice. They could have sought advice from their lawyers or the police. They could have audited or rebuilt their servers to ensure their integrity. Their choice was to do nothing.
The choice for Devuan users is different. If they no longer trust Devuan they can stop using it. That is the choice we made.
Everyone makes their own choices. Choices have consequences.
Posted May 22, 2019 8:08 UTC (Wed)
by rickmoen (subscriber, #6943)
[Link]
No. You have long been aware of this claim being flat-out incorrect, but keep repeating it. We were both there. (I'm not a Devuan Project insider, but am a longtime sympathetic participant with no horse in this race otherwise, as you probably recall.) As you are fully aware, exactly zero Devuan servers were compromised. One of the caretaker pretended, as the substance of a meticulously implemented, hilarious, and deeply unwise prank that they had been, and then revealed the prank within the customary one-day period, and then apologised for the unwise choice of prank framing (inside a supposed security breach). The biggest damage was then done by, to be blunt, you and a few other people who flew off the handle and did the Internet-maximal-noise dance at great length and to stupefying effect. If you were hoping to be thanked for that, I fear you will be a long time waiting. Rick Moen
Posted Apr 25, 2019 18:17 UTC (Thu)
by nivedita76 (subscriber, #121790)
[Link] (7 responses)
Posted Apr 25, 2019 20:40 UTC (Thu)
by edomaur (subscriber, #14520)
[Link] (6 responses)
The whole point here is that after any event like that, you need to do a security assessment, otherwise how can you be _REALLY_ sure that nothing is amiss ? Today, Linux distros are somewhat central in the Internet world. If one of those is not able to prove that it has really not been compromised, then it is only a toy and not a tool.
Posted Apr 26, 2019 17:21 UTC (Fri)
by rweikusat2 (subscriber, #117920)
[Link] (3 responses)
A member of the core team of some distribution temporarily replaced a web page/ set of web pages on some set of servers belonging to the distribution. This happened on April 1st, was meant to be an April Fools joke and was pretty clearly recognizable as such due to the nature of the replacement page (efficient text-only gopher vs the bloated WWW being a holy war of the 1990s --- do we perhaps need a warning sign "You may encounter people over 35 here. If they do something you absolutely don't understand, please consider asking about it before panicking and jumping to wild conclusion"?). Revealing this as the joke it was supposed to be ought to be entirely sufficient to 'prove' nothing was compromised here.
Posted Apr 26, 2019 19:00 UTC (Fri)
by pizza (subscriber, #46)
[Link] (2 responses)
There seem to be two logical explanations:
* They were genuinely (and cleverly) hacked, and are lying to cover it up while trying to restore services
Either way, the way it's been handled does not exactl instil confidence in Devuan's competence or professionalism, and I would expect "Veteran Unix Administrators" to be quite aware that those qualities are high on the list of "reasons to use Distribution X for anything remotely important"
Posted Apr 26, 2019 20:07 UTC (Fri)
by rweikusat2 (subscriber, #117920)
[Link] (1 responses)
Posted Apr 26, 2019 22:24 UTC (Fri)
by pizza (subscriber, #46)
[Link]
Posted Apr 26, 2019 17:36 UTC (Fri)
by nivedita76 (subscriber, #121790)
[Link]
Posted Apr 26, 2019 17:40 UTC (Fri)
by nivedita76 (subscriber, #121790)
[Link]
Posted Apr 29, 2019 10:06 UTC (Mon)
by jezuch (subscriber, #52988)
[Link]
Posted Apr 25, 2019 16:58 UTC (Thu)
by jhhaller (guest, #56103)
[Link] (1 responses)
Rather than asking a lawyer, asking your insurance broker is probably a better solution, as they are in the business of assessing risk and pricing it. If you can't get insurance, they will tell you why, and what you can do to be insurable. Alternatively, if you can't afford insurance, but have no substantial assets, it probably doesn't matter, as no one will sue an entity where there's no pot of gold at the end of the rainbow. The lawyers are more likely to say your liability is limitless, and so will your legal expense costs. A lawyer will never say there is no risk, as that opens them up to liability, and they don't want the cost of their Errors and Omissions insurance policy to go up.
Posted Apr 26, 2019 11:42 UTC (Fri)
by nix (subscriber, #2304)
[Link]
Posted Apr 25, 2019 19:18 UTC (Thu)
by jschrod (subscriber, #1646)
[Link]
Please note: April 1 is over.
Please don't publish your bad jokes here on lwn.net. They're not funny.
Posted Apr 26, 2019 8:56 UTC (Fri)
by nilsmeyer (guest, #122604)
[Link]
People who threaten lawsuits usually can't afford an attorney.
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
The only thing I disliked was the attitude this joke brought. Meaning: "evil people from XXX are out to get Devuan".
I don't see why this was a surprise. It's exactly their response to everything else that impinges on Devuan, ever.
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
> should be referred for criminal prosecution is a question you
> should already be discussing with your lawyers or the police.
Devuan, April Fools, and self-destruction
Devuan servers were compromised.
Devuan, April Fools, and self-destruction
rick@linuxmafia.com
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
* This was a prank that was made without any heads-up to other core team members, and was taken _way_ too far, to the point where weeks later services still aren't fully restored.
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction
your best bet is to switch to Microsoft products, as you are likely to be able to get an indemnification agreement
Really? With Microsoft, as with any other large software company, you're as likely to be able to get them to indemnify you against flaws as you are to get them to ship you a live unicorn. Small software companies that you have over the barrel (as by far their largest customer) might be convinced to do it, as the last alternative before an outright takeover, but anyone else? Not a chance.
Devuan, April Fools, and self-destruction
Devuan, April Fools, and self-destruction