On 06.07.2014 13:38, drago01 wrote:

On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:

...

On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:

...

• A script automating most of the process of validating and processing the

request can be found at

https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...

Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:

| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())

Ouch ... can we ban this guy from Fedora?

This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...

On 06.07.2014 13:46, Igor Gnatenko wrote:

Hi, On Sun, Jul 6, 2014 at 3:41 PM, Sandro Mani manisandro@gmail.com wrote:

...

On 06.07.2014 13:38, drago01 wrote:

...

On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:

...

On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:

...

• A script automating most of the process of validating and processing

the request can be found at

https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...

Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:

| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())

Ouch ... can we ban this guy from Fedora?

This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...

Seems that you have NOT fixed issue.

-Igor Gnatenko

I pushed one second ago...

On 06.07.2014 13:48, Reindl Harald wrote:

Am 06.07.2014 13:41, schrieb Sandro Mani:

...

On 06.07.2014 13:38, drago01 wrote:

...

On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:

...

On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:

...

• A script automating most of the process of validating and processing the

request can be found at

https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...

Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:

| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())

Ouch ... can we ban this guy from Fedora?

This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...

how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?

line 302 is a no-go in general line 301 before that smells like intention

i can't imagine that two lines together happen by mistake

It was a line ordering issue. The cwd before that call was the temporary directory. Please trust me, I really feel bad about this, and will never again push code which was written late at night. Again, I really apologize.

On 06.07.2014 13:59, Reindl Harald wrote:

Am 06.07.2014 13:51, schrieb Sandro Mani:

...

On 06.07.2014 13:48, Reindl Harald wrote:

...

Am 06.07.2014 13:41, schrieb Sandro Mani:

...

On 06.07.2014 13:38, drago01 wrote:

...

On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:

...

On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:

> * A script automating most of the process of validating and processing the > request can be found at > > https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces... Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:

| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())

Ouch ... can we ban this guy from Fedora?

This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...

how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?

line 302 is a no-go in general line 301 before that smells like intention

i can't imagine that two lines together happen by mistake

It was a line ordering issue. The cwd before that call was the temporary directory. Please trust me, I really feel bad about this, and will never again push code which was written late at night. Again, I really apologize

accepted - but "shutil.rmtree(os.getcwd())" is in general not a line ordering issue it's **** from a developers perspective because it leads *always* to unpredictable behavior if the "chdir" fails for whatever reason, be it a typo, wrong permissions somewhere or SELinux comes in place

that's horrible dangerous in any context

Fully accepted, and trust me, I fully realize how utterly stupid the code was. I probably was just over-eager to get the script done and go to bed. I just really hope that I did not cause any loss of data to anyone.

On Sun, 2014-07-06 at 13:48 +0200, Reindl Harald wrote:

Am 06.07.2014 13:41, schrieb Sandro Mani:

...

On 06.07.2014 13:38, drago01 wrote:

...

On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:

...

On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:

...

• A script automating most of the process of validating and processing the

request can be found at

https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...

Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:

| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())

Ouch ... can we ban this guy from Fedora?

This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...

how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?

line 302 is a no-go in general line 301 before that smells like intention

i can't imagine that two lines together happen by mistake

That may well be an issue with your imagination (or even experience). As for me, I'm struggling to imagine why would anyone do that intentionally.

I think (and hope) lot of us would be very unhappy if manage to build an environment where hastily punish people for mistakes or suspicions in a mob-like manner. Please give the guy a break and don't jump into too quick judgments.

Lubo

On 07/08/2014 08:53 AM, Lubomir Rintel wrote:

That may well be an issue with your imagination (or even experience). As for me, I'm struggling to imagine why would anyone do that intentionally.

I've seen something very much like this in response to posts on comp.lang.lisp where the respondent assumed that the poster asked for help with their homework, so it was intended as some form of punishment.

Sadly, devel hasn't much more culture of conduct left than comp.lang.lisp, so it is at least conceivable that someone would attempt to score a point in a discussion about patch submission procedures by showing that it's risky to accept contributions. I'm not saying that this is what has happened, but we have to be prepared for silliness like that (and academics submitting patches with intentional defects as part of their research studies etc.).

On Tue, Jul 08, 2014 at 11:46:11AM +0200, Reindl Harald wrote:

Am 08.07.2014 08:53, schrieb Lubomir Rintel:

...

On Sun, 2014-07-06 at 13:48 +0200, Reindl Harald wrote:

...

...

...

...

| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())

Ouch ... can we ban this guy from Fedora?

This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...

how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?

line 302 is a no-go in general line 301 before that smells like intention

i can't imagine that two lines together happen by mistake

That may well be an issue with your imagination (or even experience)

and why do you not read the complete thread *before* you answer instead quote from the middle of it? that thread was finished and your response out of context days later shows pretty fine how flamewars are created

...

As for me, I'm struggling to imagine why would anyone do that intentionally

so you neve worked as sysadmin........

...

I think (and hope) lot of us would be very unhappy if manage to build an environment where hastily punish people for mistakes or suspicions in a mob-like manner. Please give the guy a break and don't jump into too quick judgments

and if that thread only leaded that *a few people* never again in their life type "shutil.rmtree(os.getcwd())" it gained a lot for the future

If we're speaking how to *prevent* this type of mistake properly... The answer to this problem is simple:

import tempfile with tempfile.TemporaryDirectory(prefix='simple-patch') as dir: do_stuff(dir)

No possibility of removing the wrong directory, nice and clear code, everything gets cleaned up even if an exception is thrown. Requires python 3 though.

Zbyszek

On Sun, Jul 06, 2014 at 01:41:08PM +0200, Sandro Mani wrote:

On 06.07.2014 13:38, drago01 wrote:

...

On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:

...

...

| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())

Ouch ... can we ban this guy from Fedora?

This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...

Thank you for taking care of it so fast.

Kind regards Till

On Mon, Jul 07, 2014 at 03:35:16PM -0400, Stephen Gallagher wrote:

Just as a quick aside, I'd like to note that what you've all just witnessed is a perfect example of Open Source working exactly as it should. A mistake was made and another eagle-eyed contributor spotted it immediately.

Pat yourselves on the back, folks. The Open Source Way is working :)

Actually I did not find it first, I only read about it on IRC.

Regards Till

On Sun, Jul 6, 2014 at 7:38 PM, drago01 drago01@gmail.com wrote:

On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:

...

On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:

...

• A script automating most of the process of validating and processing the

request can be found at

https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...

Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:

| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())

Ouch ... can we ban this guy from Fedora?

Why it's considered as "simple"? I couldn't find it behind.

Yours sincerely, Christopher Meng

Noob here.

http://cicku.me

On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:

On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:

...

• A script automating most of the process of validating and processing the

request can be found at

https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...

Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:

| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())

Found no such lines. rmtree is only in line 361 (shutil.rmtree(tmpdir)).

Bye, a

On Mon, Jul 7, 2014 at 8:58 PM, Artifex Maximus artifexor@gmail.com wrote:

On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:

...

On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:

...

• A script automating most of the process of validating and processing the

request can be found at

https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...

Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:

| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())

Found no such lines. rmtree is only in line 361 (shutil.rmtree(tmpdir)).

Read the rest of the thread ... tl;dr: This was just a mistake it has already been resolved.