> The surviving Devuan core team members will take zero or > more steps to prove Devuan trustworthy and sysadmins will > each decide for themselves or with their lawyers whether > they can continue to use Devuan.
Weirdly enough I trust devuan a bit more after this incident: - I now know that the devuan servers are run by a very small team. Small is good. I now know that there isn't a humorless communications, legal or hr department which can overrule public facing communications. That is good for the longevity of the project, as it means the odds of it staying fun for longer are better. Too many procedures cause necrosis. Also: there is somebody who has the inclination and ability to build a complex technical prank. That means that somebody sees this as more than just a job and has some technical and time reserves. - This event has had more than one person think about what would happen if devuan were really compromised. How would you have restored/rolled back your systems ? So instead of complaining about a bad joke, consider it a dress-rehearsal for a real compromise. Is it worth the effort to keep a many month old copy of devuan sources offline, as a starting point for recovery from a catastrophic compromise ? Should you pick a few packages and mirror their upstream sources ? Can you even build a package from source - if not might it not be worth understanding how ? If you aren't thinking about these things now, then you aren't taking security seriously. This is not to say that the prank had problems: When confronted with somebody asking on April 1st: "is this really true, were you compromised ?" one doesn't answer "yes, we are investigating". One either fesses up or tries to strech credulity beyond breaking: "Yes we are investigating, and there is this green light shining from server rack. It turns the hackers aren't just wearing green hats, they are totally green and rather little - we are negotiating with them at the moment for access to our leader. Must be this time of year again..." regards marc _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
