:: Re: [DNG] What you saw on devuan.or…
Top Page
Delete this message
Reply to this message
Author: Mike Bird
Date:  
To: dng
Subject: Re: [DNG] What you saw on devuan.org yesterday was an April's fools joke
On Tue April 2 2019 07:30:58 Jaromil wrote:
> 1. There was no break-in on any part of Devuan's infrastructure on 1st
>    April. This was the most skillfull prank I've witnessed in my life.


You are easily impressed. And you double down on KatolaZ's
irresponsible vandalism with a display of lazy wishful thinking.
You are claiming no break-in but you have reported nothing to
establish the integrity of your systems and software from
the ground up as any real Veteran Unix Admin knows how to do.

Your claim comes after KatolaZ wrote:

We know. Seems to be quite serious. No access to our infra.
We are working on it, and we will post updates.

And Evilham wrote:

Had it been just about devuan-web, it wouldn't have been
as terrible as this is: going the lengths of doing it with
gdo and the build system undermines that trust of users
towards Devuan.

It's been now well over 12 hours and the "joke" is still on,
it still hints at all parts of the infraestructure being
compromised, it still looks as if gdo and the build system
were compromised.

While golinux indicated this had not been discussed in advance
by the team:

I was not aware of any discussion about this action.

Nor has there been any explanation of why other core team
members were unable to shutdown or redirect DNS, shutdown
or repair the compromised systems, or take any other measures
to mitigate the attack during the 24 hours it lasted. You
simply don't know what happened during those 24 hours or
what is still compromised and any reliance on the claims of
an admitted attacker is beyond ridiculous.

If any of you were the Veteran Unix Admins that you claimed
to be you would know that a hand-waving "nothing happened"
is utterly inadequate to prove that your systems and software
have not been compromised without your knowledge.

You have taken zero steps to prove Devuan trustworthy and
you seem to think that's the end of the matter.

Sysadmins will now each decide for themselves or with their
lawyers whether they can continue to use Devuan. I'll be
reading this list until our switch is complete. If anyone
finds a lawyer who says that it's safe to keep a production
system on Devuan I'd love to hear their reasoning.

The work now to switch distros is a drag but worst of all
is that you have just done more in one day to undermine the
viability of alternatives to SystemD than its proponents
could ever have dreamed of.

> 2. Devuan comes WITHOUT ANY WARRANTY. Bluntly put, if you
>    want to hold someone liable, you need a contract.


That's why people who cause airports to be evacuated by
shouting "bomb" can't be both sued for the cost of the
delays and prosecuted, right? No contract?

How many billable person hours do you think your little
stunt is going to end up costing worldwide?

--Mike