Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

4.14.7 release was deleted #1042

Closed
thesamesam opened this issue Jul 4, 2024 · 9 comments
Closed

4.14.7 release was deleted #1042

thesamesam opened this issue Jul 4, 2024 · 9 comments

Comments

@thesamesam
Copy link
Contributor

See https://bugs.gentoo.org/935453. It appears 4.14.7 was yanked. Please don't ever delete releases, especially not for a security-critical package. It destroys provenance and raises alarm bells.

If a release is broken, please add a note to the release notes and issue a new release.

@thesamesam thesamesam changed the title Please don't ever delete releases 4.14.7 release was deleted Jul 4, 2024
@alejandro-colomar
Copy link
Collaborator

alejandro-colomar commented Jul 4, 2024

I noticed a few days ago, but didn't know when or how it happened. I noticed some glitches while uploading some of the more recent versions (github misbehaved: it didn't allow me to publish a release for several attempts), so I guessed/assumed it would have been some github glitch what removed 4.14.7. But don't know what happened exactly.

@alejandro-colomar
Copy link
Collaborator

I have the original release tarballs in my own server

http://www.alejandro-colomar.es/share/dist/shadow/4/4.14/4.14.7/

but I didn't want to re-upload it because that would obviously be suspicious. But if anyone needs it, it's available there. Just check the signature, and compare a checksum with one of the old github release, if anyone keeps it.

@alejandro-colomar
Copy link
Collaborator

If anyone knows how to report a bug to github, feel free to do so. It'd be interesting to learn what the hell happened, because as you say, it's pretty bad. If they can show logs of how that happened, that would be good.

@floppym
Copy link
Contributor

floppym commented Jul 8, 2024

There's a bug form here.

Given that we don't know what you did or how you did it, I don't think anyone can file a bug on your behalf.

@alejandro-colomar
Copy link
Collaborator

There's a bug form here.

Given that we don't know what you did or how you did it, I don't think anyone can file a bug on your behalf.

Done. https://support.github.com/ticket/personal/0/2874751

Although, I think that link is private, and don't see any button to make it public. :|

@alejandro-colomar
Copy link
Collaborator

alejandro-colomar commented Jul 8, 2024

I've created one on behalf of shadow-maint. Maybe this gives visibility at least to other maintainers...

https://support.github.com/ticket/personal/0/2874769

@alejandro-colomar
Copy link
Collaborator

alejandro-colomar commented Jul 8, 2024

Github support said this is in their logs:

{
"action": "release.destroy",
"actor": "hallyn",
"created_at": "2024-05-25 18:33:57 +0300",
"name": "4.14.7: Casín aged++++++",
"repo": "shadow-maint/shadow"
}

It was removed in 2024-05-25, it seems.

Cc: @hallyn

@hallyn
Copy link
Member

hallyn commented Jul 10, 2024

It does look like I did this (rather than my account being compromised). The ip address and firefox history are plausible, though with webapp stuff there's no concrete "delete this release" page.

If I did, the our guess is that when Alejandro asked me to delete the 4.14.x branch, I deleted that release instead. I cannot imagine why I would not have just isssues the git command on command line. But if I did not have my yubikey, it is conceivable.

@alejandro-colomar
Copy link
Collaborator

Here's the request for branch removal that @hallyn referenced: #926 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants