Dear all,
Following the approval of the Simple Patch policy, all the necessary pieces are now in place.
* The policy can be read at
https://fedoraproject.org/wiki/Policy_for_simple_patches
* The bug tracking simple patch requests is
https://bugzilla.redhat.com/show_bug.cgi?id=SIMPLE_PATCHES
* A script automating most of the process of validating and processing the request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Proven packagers interested in helping out should add themselves to the SIMPLE_PATCHES bug.
Any fixes, suggestions and improvements to the process-simple-patch.py are very welcome!
Thanks, Sandro
_______________________________________________ devel-announce mailing list devel-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel-announce
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Kind regards Till
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
Hi, On Sun, Jul 6, 2014 at 3:41 PM, Sandro Mani manisandro@gmail.com wrote:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing
the request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
Seems that you have NOT fixed issue. -- -Igor Gnatenko
On 06.07.2014 13:46, Igor Gnatenko wrote:
Hi, On Sun, Jul 6, 2014 at 3:41 PM, Sandro Mani manisandro@gmail.com wrote:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing
the request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
Seems that you have NOT fixed issue.
-Igor Gnatenko
I pushed one second ago...
Am 06.07.2014 13:41, schrieb Sandro Mani:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?
line 302 is a no-go in general line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
On 06.07.2014 13:48, Reindl Harald wrote:
Am 06.07.2014 13:41, schrieb Sandro Mani:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?
line 302 is a no-go in general line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
It was a line ordering issue. The cwd before that call was the temporary directory. Please trust me, I really feel bad about this, and will never again push code which was written late at night. Again, I really apologize.
Am 06.07.2014 13:51, schrieb Sandro Mani:
On 06.07.2014 13:48, Reindl Harald wrote:
Am 06.07.2014 13:41, schrieb Sandro Mani:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?
line 302 is a no-go in general line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
It was a line ordering issue. The cwd before that call was the temporary directory. Please trust me, I really feel bad about this, and will never again push code which was written late at night. Again, I really apologize
accepted - but "shutil.rmtree(os.getcwd())" is in general not a line ordering issue it's **** from a developers perspective because it leads *always* to unpredictable behavior if the "chdir" fails for whatever reason, be it a typo, wrong permissions somewhere or SELinux comes in place
that's horrible dangerous in any context
On 06.07.2014 13:59, Reindl Harald wrote:
Am 06.07.2014 13:51, schrieb Sandro Mani:
On 06.07.2014 13:48, Reindl Harald wrote:
Am 06.07.2014 13:41, schrieb Sandro Mani:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
> * A script automating most of the process of validating and processing the > request can be found at > > https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces... Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?
line 302 is a no-go in general line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
It was a line ordering issue. The cwd before that call was the temporary directory. Please trust me, I really feel bad about this, and will never again push code which was written late at night. Again, I really apologize
accepted - but "shutil.rmtree(os.getcwd())" is in general not a line ordering issue it's **** from a developers perspective because it leads *always* to unpredictable behavior if the "chdir" fails for whatever reason, be it a typo, wrong permissions somewhere or SELinux comes in place
that's horrible dangerous in any context
Fully accepted, and trust me, I fully realize how utterly stupid the code was. I probably was just over-eager to get the script done and go to bed. I just really hope that I did not cause any loss of data to anyone.
2014-07-06 13:51 GMT+02:00 Sandro Mani manisandro@gmail.com:
It was a line ordering issue. The cwd before that call was the temporary directory. Please trust me, I really feel bad about this, and will never again push code which was written late at night. Again, I really apologize.
Sounds likely, I was more worried that your credentials were stolen.
@everyone mistakes *happen*, don't be hasty http://fedoraproject.org/en/code-of-conduct
This stresses the importance of code review, and not running code that has been reviewed once.
best regards, H.
On Sun, 2014-07-06 at 13:48 +0200, Reindl Harald wrote:
Am 06.07.2014 13:41, schrieb Sandro Mani:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?
line 302 is a no-go in general line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
That may well be an issue with your imagination (or even experience). As for me, I'm struggling to imagine why would anyone do that intentionally.
I think (and hope) lot of us would be very unhappy if manage to build an environment where hastily punish people for mistakes or suspicions in a mob-like manner. Please give the guy a break and don't jump into too quick judgments.
Lubo
On 08.07.2014 08:53, Lubomir Rintel wrote:
On Sun, 2014-07-06 at 13:48 +0200, Reindl Harald wrote:
Am 06.07.2014 13:41, schrieb Sandro Mani:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?
line 302 is a no-go in general line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
That may well be an issue with your imagination (or even experience). As for me, I'm struggling to imagine why would anyone do that intentionally.
I think (and hope) lot of us would be very unhappy if manage to build an environment where hastily punish people for mistakes or suspicions in a mob-like manner. Please give the guy a break and don't jump into too quick judgments.
He accepted that it was a very unfortunate mistake later in the post. I can fully understand the first reaction of the people seeing such code, it definitely was not a pretty sight. Can we now please just close this thread? :)
On 07/08/2014 08:53 AM, Lubomir Rintel wrote:
That may well be an issue with your imagination (or even experience). As for me, I'm struggling to imagine why would anyone do that intentionally.
I've seen something very much like this in response to posts on comp.lang.lisp where the respondent assumed that the poster asked for help with their homework, so it was intended as some form of punishment.
Sadly, devel hasn't much more culture of conduct left than comp.lang.lisp, so it is at least conceivable that someone would attempt to score a point in a discussion about patch submission procedures by showing that it's risky to accept contributions. I'm not saying that this is what has happened, but we have to be prepared for silliness like that (and academics submitting patches with intentional defects as part of their research studies etc.).
Am 08.07.2014 08:53, schrieb Lubomir Rintel:
On Sun, 2014-07-06 at 13:48 +0200, Reindl Harald wrote:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?
line 302 is a no-go in general line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
That may well be an issue with your imagination (or even experience)
and why do you not read the complete thread *before* you answer instead quote from the middle of it? that thread was finished and your response out of context days later shows pretty fine how flamewars are created
As for me, I'm struggling to imagine why would anyone do that intentionally
so you neve worked as sysadmin........
I think (and hope) lot of us would be very unhappy if manage to build an environment where hastily punish people for mistakes or suspicions in a mob-like manner. Please give the guy a break and don't jump into too quick judgments
and if that thread only leaded that *a few people* never again in their life type "shutil.rmtree(os.getcwd())" it gained a lot for the future
On Tue, Jul 08, 2014 at 11:46:11AM +0200, Reindl Harald wrote:
Am 08.07.2014 08:53, schrieb Lubomir Rintel:
On Sun, 2014-07-06 at 13:48 +0200, Reindl Harald wrote:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident? and that combined with make / to the current dir?
line 302 is a no-go in general line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
That may well be an issue with your imagination (or even experience)
and why do you not read the complete thread *before* you answer instead quote from the middle of it? that thread was finished and your response out of context days later shows pretty fine how flamewars are created
As for me, I'm struggling to imagine why would anyone do that intentionally
so you neve worked as sysadmin........
I think (and hope) lot of us would be very unhappy if manage to build an environment where hastily punish people for mistakes or suspicions in a mob-like manner. Please give the guy a break and don't jump into too quick judgments
and if that thread only leaded that *a few people* never again in their life type "shutil.rmtree(os.getcwd())" it gained a lot for the future
If we're speaking how to *prevent* this type of mistake properly... The answer to this problem is simple:
import tempfile with tempfile.TemporaryDirectory(prefix='simple-patch') as dir: do_stuff(dir)
No possibility of removing the wrong directory, nice and clear code, everything gets cleaned up even if an exception is thrown. Requires python 3 though.
Zbyszek
On Sun, Jul 6, 2014 at 1:41 PM, Sandro Mani manisandro@gmail.com wrote:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing
the request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
OK that was indeed a bit premature I should have waited for you to respond before drawing any conclusions.
On Sun, Jul 06, 2014 at 01:41:08PM +0200, Sandro Mani wrote:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
Thank you for taking care of it so fast.
Kind regards Till
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/06/2014 07:41 AM, Sandro Mani wrote:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and
processing the request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that
might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please realize that I wrote this with the best intentions. I've fixed the issue...
Just as a quick aside, I'd like to note that what you've all just witnessed is a perfect example of Open Source working exactly as it should. A mistake was made and another eagle-eyed contributor spotted it immediately.
Pat yourselves on the back, folks. The Open Source Way is working :)
On Mon, Jul 07, 2014 at 03:35:16PM -0400, Stephen Gallagher wrote:
Just as a quick aside, I'd like to note that what you've all just witnessed is a perfect example of Open Source working exactly as it should. A mistake was made and another eagle-eyed contributor spotted it immediately.
Pat yourselves on the back, folks. The Open Source Way is working :)
Actually I did not find it first, I only read about it on IRC.
Regards Till
On 07/07/2014 09:35 PM, Stephen Gallagher wrote:
Just as a quick aside, I'd like to note that what you've all just witnessed is a perfect example of Open Source working exactly as it should. A mistake was made and another eagle-eyed contributor spotted it immediately.
Right, but you can easily turn this into the opposite: It demonstrates how lack of reviews and lack of carefulness rsp. self-overestimation allows individuals to compromise code.
Pat yourselves on the back, folks. The Open Source Way is working :)
Or .. we were lucky, this bug was serious enough to be found ;)
Ralf
On Sun, Jul 6, 2014 at 7:38 PM, drago01 drago01@gmail.com wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
Why it's considered as "simple"? I couldn't find it behind.
Yours sincerely, Christopher Meng
Noob here.
On Sun, Jul 6, 2014 at 1:54 PM, Christopher Meng cickumqt@gmail.com wrote:
On Sun, Jul 6, 2014 at 7:38 PM, drago01 drago01@gmail.com wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
Why it's considered as "simple"? I couldn't find it behind.
I can't parse that.
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Found no such lines. rmtree is only in line 361 (shutil.rmtree(tmpdir)).
Bye, a
On 07.07.2014 20:58, Artifex Maximus wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Found no such lines. rmtree is only in line 361 (shutil.rmtree(tmpdir)).
The issue was there unfortunately, but luckily it was discovered before causing disasters. Clearly, the issue has since been fixed.
On Mon, Jul 7, 2014 at 8:58 PM, Artifex Maximus artifexor@gmail.com wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas opensource@till.name wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
- A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/proces...
Do not run this script, because it contains malicious code that might remove all files from your system! The code can be found in lines 301-302:
| 301 os.chdir("/") | 302 shutil.rmtree(os.getcwd())
Found no such lines. rmtree is only in line 361 (shutil.rmtree(tmpdir)).
Read the rest of the thread ... tl;dr: This was just a mistake it has already been resolved.