> The surviving Devuan core team members will take zero or > more steps to prove Devuan trustworthy and sysadmins will
> each decide for themselves or with their lawyers whether
> they can continue to use Devuan.
Weirdly enough I trust devuan a bit more after this incident:
- I now know that the devuan servers are run by a very small
team. Small is good. I now know that there isn't a humorless
communications, legal or hr department which can overrule public
facing communications. That is good for the longevity of the project,
as it means the odds of it staying fun for longer are better.
Too many procedures cause necrosis. Also: there is somebody
who has the inclination and ability to build a complex technical
prank. That means that somebody sees this as more than just a job
and has some technical and time reserves.
- This event has had more than one person think about what would
happen if devuan were really compromised. How would you have
restored/rolled back your systems ? So instead of complaining
about a bad joke, consider it a dress-rehearsal for a real
compromise. Is it worth the effort to keep a many month old
copy of devuan sources offline, as a starting point for
recovery from a catastrophic compromise ? Should you pick
a few packages and mirror their upstream sources ? Can you
even build a package from source - if not might it not be worth
understanding how ? If you aren't thinking about these things
now, then you aren't taking security seriously.
This is not to say that the prank had problems: When confronted
with somebody asking on April 1st: "is this really true, were you
compromised ?" one doesn't answer "yes, we are investigating". One
either fesses up or tries to strech credulity beyond breaking: "Yes
we are investigating, and there is this green light shining from
server rack. It turns the hackers aren't just wearing green hats,
they are totally green and rather little - we are negotiating with
them at the moment for access to our leader. Must be this time
of year again..."