-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
4.14.7 release was deleted #1042
Comments
I noticed a few days ago, but didn't know when or how it happened. I noticed some glitches while uploading some of the more recent versions (github misbehaved: it didn't allow me to publish a release for several attempts), so I guessed/assumed it would have been some github glitch what removed 4.14.7. But don't know what happened exactly. |
I have the original release tarballs in my own server http://www.alejandro-colomar.es/share/dist/shadow/4/4.14/4.14.7/ but I didn't want to re-upload it because that would obviously be suspicious. But if anyone needs it, it's available there. Just check the signature, and compare a checksum with one of the old github release, if anyone keeps it. |
If anyone knows how to report a bug to github, feel free to do so. It'd be interesting to learn what the hell happened, because as you say, it's pretty bad. If they can show logs of how that happened, that would be good. |
There's a bug form here. Given that we don't know what you did or how you did it, I don't think anyone can file a bug on your behalf. |
Done. https://support.github.com/ticket/personal/0/2874751 Although, I think that link is private, and don't see any button to make it public. :| |
I've created one on behalf of shadow-maint. Maybe this gives visibility at least to other maintainers... |
Github support said this is in their logs:
It was removed in 2024-05-25, it seems. Cc: @hallyn |
It does look like I did this (rather than my account being compromised). The ip address and firefox history are plausible, though with webapp stuff there's no concrete "delete this release" page. If I did, the our guess is that when Alejandro asked me to delete the 4.14.x branch, I deleted that release instead. I cannot imagine why I would not have just isssues the git command on command line. But if I did not have my yubikey, it is conceivable. |
Here's the request for branch removal that @hallyn referenced: #926 (comment) |
See https://bugs.gentoo.org/935453. It appears 4.14.7 was yanked. Please don't ever delete releases, especially not for a security-critical package. It destroys provenance and raises alarm bells.
If a release is broken, please add a note to the release notes and issue a new release.
The text was updated successfully, but these errors were encountered: