Following is on a personal note after having tried to fix things
behind
curtains and to get something "official" out.
First things first and because I think somebody has to say it in
the
right tone the situation merits:
I am really sorry for the mess of today (+/- 13 hours because
timezones)
and I hope it does not impact too negatively the trust of users in
the
project in the long-run.
Further clarifying things: **to my knowledge**(*) nothing has been
compromised, but it is indeed a very elaborated prank.
I hope this helps reassure those who are rightfully concerned,
disappointed or disgusted by the whole thing and that a more
sensible
"official"/definitive/detailed announcement comes soon.
(*): **to my knowledge** means that I am still trusting the
communications and the project, even if I decided keep in place
the
temporarily disconnect of my systems from devuan's infra.
Evilham writes:
Dear all,
this is being sent privately, but with the perspective of it
being
public.
I won't go into the stupidity of April's fools as a general
concept, but
instead meet halfway and consider that a valid thing to do (even
when
your users are not exclusively in the limited parts of the world
where
that's a thing) and instead analyse the way this was done.
This is not an April's fools joke, this reflects very badly on
Devuan as
a distribution that is something beyond someone's playground.
I will explain: we, as Devuan, need people's trust, the fact
that
anybody uses Devuan (or any distribution/Operating System),
implies a
huge degree of trust on the team behind it.
After all, if you control an Operating System, you control in
fact, a
trivial way to gain root on everyone's systems.
Even assuming a fakely claimed security issue were funny, this
was
badly
done. Had it been just about devuan-web, it wouldn't have been
as
terrible
as this is: going the lengths of doing it with gdo and the build
system
undermines that trust of users towards Devuan.
It's been now well over 12 hours and the "joke" is still on, it
still hints
at all parts of the infraestructure being compromised, it still
looks as
if gdo and the build system were compromised.
For anyone wanting to do serious things while using Devuan, this
is
extremely bad taste.
I know of at least 5 people wasting a few hours of their lives
(me
included) over this, *obviously* if the peope you trust are
telling you
"Devuan is fucked, we don't even have access to the infra", the
very
first thing you are going to do is start all your contingency
plans, not
bother with "obvious" puzzles and hints.
We are talking about critical infrastructure here, this is the
internet
equivalent of being in an airport and shouting "THERE IS A BOMB!
Nah
just kidding". It is not only childish, it is irresponsible.
I kindly ask everyone to reconsider and bring the thing down as
soon as
possible and publish a public apology.
In the end, this is not a PR stun, it's a PR disgrace and it's
messing
with the people who care about the distribution and the
distribution's
always-lingering reputation.
Even if there is no public apology, I will at least on a
personal
level
do what I consider right and publish this email on DNG.
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
