Re: [GIT PULL] hardening fixes for v6.16-rc1 - Linus Torvalds
lore.kernel.org
  • catloaf@lemm.eeEnglish
    65·
    1 month ago

    Readers: make sure you read the replies. This happened four days ago and has since been resolved.

  • FauxLiving@lemmy.world
    41·
    1 month ago

    If you’re not familiar with reading mailing lists or don’t follow what is happening, Brodie Robertson on YT did a good video on this: https://youtu.be/GhfhzTDQdUU

    TL;DR: Some tooling script caused the problem, but it initially seemed like a malicious pull request from kernel developer. It wasn’t and the issue was resolved. The tooling script will be updated with better error messages so this kind of problem should be obvious when it occurs.

  • Eager Eagle@lemmy.worldEnglish
    251·
    1 month ago
    > Welp, that precisely recreated it -- even identical shas! Looking at
> the b4 output, I do see a suspicious "39 commits" listed for some reason.

Well, that's the point where the user, in theory, goes "this is weird, why is
it 39 commits," and does Ctrl-C, but I'm happy to accept blame here -- we
should be more careful with this operation and bail out whenever we recognize
that something has gone wrong. To begin with, we'll output a listing of all
the commits that will be rewritten, just to make it more obvious when things
are about to go wrong.

> So, I assume the "git-filter-repo" invocation is what mangled it. I will
> try to dig into what b4 actually asked it to do in the morning...

Thanks for looking into this. Linus, this is accurate and I am 100% convinced
that there was no malicious intent. My apologies for being part of the mess
through the tooling.

I will reinstate Kees's account so he can resume his work.

-K
  • squaresinger@lemmy.world
    23·
    1 month ago

    I got weirdly invested in this, and by the end I was kinda happy that it was “just” a bug in the tooling and not anything actually malicious.

      • phantomwise@lemmy.mlEnglish
        71·
        1 month ago

        Anubis is an anti bot protection measure that gives your browser a proof-of-work challenge to solve before giving you access to the website. When I opened the link the website briefly showed Anubis but the anime girl mascot wasn’t there 😭

  • Jtskywalker@lemm.ee
    6·
    1 month ago

    I’ve used these tools to remove stuff from git history (e.g. someone accidentally committed a password or key that wasn’t noticed for a while) and they are powerful but scary. Good discussion on what when wrong and how to avoid it or at least notice it before it gets this far

  • just_another_person@lemmy.world
    74·
    1 month ago

    WHOOOOOA. If Linus is not mistaken (doubtful), there wasn’t an intrusion in the repo, or there wasn’t some fucked up merge somewhere, this is crazy as hell. This is a huge deal. Good on Linus for catching it.

    • floofloof@lemmy.ca
      22·
      1 month ago

      If you read the whole thread, it turns out to be an undesirable behaviour of a tool called b4, which was rewriting not just author information but committer information. The consensus seems to be that this tool needs to be updated not to do that.

    • jdnewmil@lemmy.ca
      17·
      1 month ago

      They are a record of the process of adding to the Linux kernel. Such background can be used to trace the history of contributions if those contributions turn out to have had malicious intent or were derived from code that came from sources that were not compatible with the GNU license that the kernel is released under.