Devuan, April Fools, and self-destruction

Posted Apr 25, 2019 20:40 UTC (Thu) by edomaur (subscriber, #14520)
In reply to: Devuan, April Fools, and self-destruction by nivedita76
Parent article: Devuan, April Fools, and self-destruction

I understand his point : How can you prove that they are, indeed, figments of imagination ?

The whole point here is that after any event like that, you need to do a security assessment, otherwise how can you be _REALLY_ sure that nothing is amiss ? Today, Linux distros are somewhat central in the Internet world. If one of those is not able to prove that it has really not been compromised, then it is only a toy and not a tool.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 17:21 UTC (Fri) by rweikusat2 (subscriber, #117920) [Link] (3 responses)

There was no 'event like that'.

A member of the core team of some distribution temporarily replaced a web page/ set of web pages on some set of servers belonging to the distribution. This happened on April 1st, was meant to be an April Fools joke and was pretty clearly recognizable as such due to the nature of the replacement page (efficient text-only gopher vs the bloated WWW being a holy war of the 1990s --- do we perhaps need a warning sign "You may encounter people over 35 here. If they do something you absolutely don't understand, please consider asking about it before panicking and jumping to wild conclusion"?). Revealing this as the joke it was supposed to be ought to be entirely sufficient to 'prove' nothing was compromised here.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 19:00 UTC (Fri) by pizza (subscriber, #46) [Link] (2 responses)

It wasn't just a replaced web page. If it was, nobody would have really cared after April 2nd. Instead, a whole bunch of infrastructure was taken offline, and weeks later, at least some of it is _still_ down.

There seem to be two logical explanations:

* They were genuinely (and cleverly) hacked, and are lying to cover it up while trying to restore services
* This was a prank that was made without any heads-up to other core team members, and was taken _way_ too far, to the point where weeks later services still aren't fully restored.

Either way, the way it's been handled does not exactl instil confidence in Devuan's competence or professionalism, and I would expect "Veteran Unix Administrators" to be quite aware that those qualities are high on the list of "reasons to use Distribution X for anything remotely important"

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 20:07 UTC (Fri) by rweikusat2 (subscriber, #117920) [Link] (1 responses)

This autorepeat-FUD based on nothing but thin air is getting a bit tiresome.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 22:24 UTC (Fri) by pizza (subscriber, #46) [Link]

...You do realize that the parent article contains many, many links to actual messages posted on the devuan-devel mailing list, and that the drama is still ongoing?

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 17:36 UTC (Fri) by nivedita76 (subscriber, #121790) [Link]

The point is that in this case it was irrelevant. The prank was perpetrated by someone who ALREADY had full access to the servers. There was nothing to compromise.

Devuan, April Fools, and self-destruction

Posted Apr 26, 2019 17:40 UTC (Fri) by nivedita76 (subscriber, #121790) [Link]

This is also an interesting attitude to take, because in the real world there are exactly zero operating systems that can prove they have not been compromised. No linux distro gives you any sort of proof that its servers haven't been compromised. If that's the level of trust you need, then you need to use something homegrown, built from source code and with an audit team going over that source code to make sure there are no compromises. I'll bet even the NSA isn't that paranoid.