Fedora: Inaccurate and apparently-unsupervised actions by agentic AI system under your control
Hi, Nathan. I'm CCing devel@ and test@ so folks are aware this has been going on.
It came to my attention this morning that you appear to be using some kind of agentic AI system to try and resolve Fedora bugs. It's great that you're trying to fix things, but the results seem to be kind of erratic. I'm still working through your Bugzilla history, but so far I've seen several issues.
1. You or your system (henceforth just "you", for simplicity) are consistently re-assigning bugs to your account, even though you are not a maintainer of any of the affected packages AFAICT and so do not actually have the power to resolve them in Fedora. Fedora Bugzilla is for tracking the *downstream* state of bugs; thus the assignee should be a person who can actually resolve the bug in downstream, i.e. a package maintainer. Please stop assigning bugs to your account. Examples: https://bugzilla.redhat.com/show_bug.cgi?id=2477150 , https://bugzilla.redhat.com/show_bug.cgi?id=2480139 , https://bugzilla.redhat.com/show_bug.cgi?id=2480661 etc. etc. (there are dozens of these).
2. You have closed multiple bugs immediately upon submitting an apparently-LLM generated fix upstream, or upon a proposed fix being merged upstream. This is not appropriate for downstream Fedora reports. The appropriate state for a Fedora downstream bug where a fix is proposed upstream but not yet applied in any way downstream is POST. The downstream bug should only be closed when a fix is applied downstream and has reached stable (and, ideally, been verified in testing). Examples: https://bugzilla.redhat.com/show_bug.cgi?id=2469013 , https://bugzilla.redhat.com/show_bug.cgi?id=2479830
3. You have closed multiple bugs in components you do not own as NOTABUG, with a clearly LLM-generated comment. In several instances the comment more or less regurgitated the reporter's description: https://bugzilla.redhat.com/show_bug.cgi?id=2481872#c1 , https://bugzilla.redhat.com/show_bug.cgi?id=2481744#c2 . In other cases the message is superficially plausible, but problematic in other ways, e.g. https://bugzilla.redhat.com/show_bug.cgi?id=2481012#c2 , where you confidently asserted that the problem was definitely a firmware issue and explicitly recommended a difficult and potentially problematic action ("Please try installing the `intel_cvs` driver from the Intel Vision Drivers repository").
4. You have submitted LLM-generated "fixes" that are incorrect, and replied to objections with LLM-generated justifications that eventually overwhelmed the maintainer into merging the fix: https://github.com/rhinstaller/anaconda/pull/7074#issuecomment-4556782893
I don't think, taken together, these actions are having a positive impact on Fedora or the upstream projects.
I would suggest you adjust your agentic system to be substantially less autonomous. Specifically, I would suggest that it must not:
1. Assign bugs in RHBZ to yourself 2. Change the state of bugs 3. Post confident assertions or specific action recommendations
without review by yourself or another human with appropriate topic area understanding. In all cases it should not assign bugs to yourself or any other party who does not actually have the necessary commit access to resolve those bugs *in Fedora*, and should not change the state of a bug incorrectly (the reference here is https://docs.fedoraproject.org/en-US/package-maintainers/bug_status/ , but that doc is unfortunately broken, I see; I'll send a fix when I'm done cleaning this up). Any LLM-generated text that purports to explain why an issue is happening, why a given change would fix it, and/or recommends any actions to a reporter or maintainer should be clearly flagged as LLM-generated and potentially incorrect, unless it has been carefully reviewed and edited by a human expert.
Thanks!
On Wed, 2026-05-27 at 10:49 -0700, Adam Williamson wrote:
Hi, Nathan. I'm CCing devel@ and test@ so folks are aware this has been going on.
Update on this: Nathan got back to me and says his credentials were compromised and he was not the one behind this AI system. Obviously we should therefore treat any actions it has taken with suspicion. I'm continuing to review the history of Nathan's Bugzilla account; I'll adjust the texts I'm posting to bugs and associated upstream PRs from now on, and review them even more aggressively.
If folks can help look for other actions taken by Nathan's accounts and review them, that would be great.
Hi,
thank you for the update. I confirm that my credentials were compromised earlier and that I was not the one performing the actions observed by the AI system.
Fortunately, I was able to regain access to both my GitHub and Fedora accounts later in the evening, and I am currently securing and reviewing all involved systems and credentials.
I will personally handle the verification and review process. To help identify accounts and actions that have been directly verified by me, I will use the term “NATCIOS” to indicate anything I have personally verified.
Also, please note that my official GitHub account is nathangiovannini99.
Thank you all for your support and for the additional reviews.
Il 27 maggio 2026 21:15:44 CEST, Adam Williamson adamwill@fedoraproject.org ha scritto:
On Wed, 2026-05-27 at 10:49 -0700, Adam Williamson wrote:
Hi, Nathan. I'm CCing devel@ and test@ so folks are aware this has been going on.
Update on this: Nathan got back to me and says his credentials were compromised and he was not the one behind this AI system. Obviously we should therefore treat any actions it has taken with suspicion. I'm continuing to review the history of Nathan's Bugzilla account; I'll adjust the texts I'm posting to bugs and associated upstream PRs from now on, and review them even more aggressively.
If folks can help look for other actions taken by Nathan's accounts and review them, that would be great. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@fosstodon.org https://www.happyassassin.net
-- _______________________________________________ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
On Wed, 2026-05-27 at 21:22 +0200, nathan wrote:
Hi,
thank you for the update. I confirm that my credentials were compromised earlier and that I was not the one performing the actions observed by the AI system.
Fortunately, I was able to regain access to both my GitHub and Fedora accounts later in the evening, and I am currently securing and reviewing all involved systems and credentials.
I will personally handle the verification and review process. To help identify accounts and actions that have been directly verified by me, I will use the term “NATCIOS” to indicate anything I have personally verified.
Also, please note that my official GitHub account is nathangiovannini99.
Thank you all for your support and for the additional reviews.
Thanks. I note that GitHub account was created an hour ago. I also can't help noticing your recent mails (this one, and the one you sent to me privately) do not read much like previous emails you have sent, and have fairly different header blocks. I can't help but suspect these emails are also LLM-generated or assisted. By whom and to what purpose, it's hard to guess. The following scenarios seem possible:
1) You are Nathan, and the situation is as you claim: some of your credentials were compromised and used in the operation of this system, but you are now back in control. 2) You are Nathan, but there was not actually an account compromise; you were in control of the accounts and the agentic system all along. 3) You are not Nathan, you are an attacker who is still in control of his email address and other accounts.
I don't know which of these is true and don't feel qualified to determine it. I apologize for any offence caused by my noting that scenario 2) is a possibility, but we do have to be clear-eyed in figuring out what's actually going on here.
The identity and security aspects of this whole situation feel a little beyond my area of expertise at this point; if others could help out, it'd be great.
Here's my current understanding of the situation:
* I've reviewed all activity in RHBZ by the nathan95 account this year: https://bugzilla.redhat.com/page.cgi?id=user_activity.html&action=run&am... . The first suspicious activity appears to date to 2026-04-07 - severity and priority changes to https://bugzilla.redhat.com/show_bug.cgi?id=2416721 with no obvious justification. The last activity before 2026-04-27 was in January and appears legitimate. The first instance of a bug's assignee being changed to the nathan95 account was https://bugzilla.redhat.com/show_bug.cgi?id=2469013 on 2026-05-12 and suspicious activity occurred regularly after that. I have taken appropriate actions on each affected bug and upstream issues / PRs if any were linked.
* Related PRs were created on GitHub by the accounts https://github.com/leurus27-boop and https://github.com/nathan9513-aps . Both accounts should likely be treated as suspicious. I will report both to GitHub shortly.
* A related MR was created on invent.kde.org by the account https://invent.kde.org/nathangiovannini , which again should be treated as suspicious, and which I will report.
* I have not reviewed any actions taken by any of the involved accounts which were not somehow related to Bugzilla, yet. We should probably look through anything else we can track the nathan95 account as having done in Fedora systems, and other things done by the associated GitHub accounts (or at least flag up that projects they have touched should review them).
On Wed, 2026-05-27 at 13:08 -0700, Adam Williamson wrote:
- I've reviewed all activity in RHBZ by the nathan95 account this year:
https://bugzilla.redhat.com/page.cgi?id=user_activity.html&action=run&am... . The first suspicious activity appears to date to 2026-04-07 - severity and priority changes to https://bugzilla.redhat.com/show_bug.cgi?id=2416721%C2%A0with no obvious justification. The last activity before 2026-04-27 was in January and appears legitimate. The first instance of a bug's assignee being changed to the nathan95 account was https://bugzilla.redhat.com/show_bug.cgi?id=2469013%C2%A0on 2026-05-12 and suspicious activity occurred regularly after that. I have taken appropriate actions on each affected bug and upstream issues / PRs if any were linked.
- Related PRs were created on GitHub by the accounts
https://github.com/leurus27-boop%C2%A0and https://github.com/nathan9513-aps . Both accounts should likely be treated as suspicious. I will report both to GitHub shortly.
- A related MR was created on invent.kde.org by the account
https://invent.kde.org/nathangiovannini%C2%A0, which again should be treated as suspicious, and which I will report.
- I have not reviewed any actions taken by any of the involved accounts
which were not somehow related to Bugzilla, yet. We should probably look through anything else we can track the nathan95 account as having done in Fedora systems, and other things done by the associated GitHub accounts (or at least flag up that projects they have touched should review them).
Sorry, forgot to mention, very important: nothing I found so far looks outright *malicious*.
On Wed, 2026-05-27 at 13:13 -0700, Adam Williamson wrote:
On Wed, 2026-05-27 at 13:08 -0700, Adam Williamson wrote:
- I've reviewed all activity in RHBZ by the nathan95 account this
year: https://bugzilla.redhat.com/page.cgi?id=user_activity.html&action=run&am... . The first suspicious activity appears to date to 2026-04-07 - severity and priority changes to https://bugzilla.redhat.com/show_bug.cgi?id=2416721%C2%A0with no obvious justification. The last activity before 2026-04-27 was in January and appears legitimate. The first instance of a bug's assignee being changed to the nathan95 account was https://bugzilla.redhat.com/show_bug.cgi?id=2469013%C2%A0on 2026-05-12 and suspicious activity occurred regularly after that. I have taken appropriate actions on each affected bug and upstream issues / PRs if any were linked.
- Related PRs were created on GitHub by the accounts
https://github.com/leurus27-boop%C2%A0and https://github.com/nathan9513-aps . Both accounts should likely be treated as suspicious. I will report both to GitHub shortly.
- A related MR was created on invent.kde.org by the account
https://invent.kde.org/nathangiovannini%C2%A0, which again should be treated as suspicious, and which I will report.
- I have not reviewed any actions taken by any of the involved
accounts which were not somehow related to Bugzilla, yet. We should probably look through anything else we can track the nathan95 account as having done in Fedora systems, and other things done by the associated GitHub accounts (or at least flag up that projects they have touched should review them).
Sorry, forgot to mention, very important: nothing I found so far looks outright *malicious*.
Indeed, and as part of the team working on the Anaconda installer I still find the whole situation really problematic:
* we spend quite a lot of time reviewing the PRs from what initially looked like a new eager contributor * while it started to look off after a while, all the replies were still like this - a bit weird, but still *plausible* (eg. no arguing or ignoring our questions - just as it turns out AI generated slop basically :P)
Unfortunately, for an actual attack the preparatory phase could (and for the Xz attack did) look very similar - a new contributor slowly gaining trust in the community, getting in harmless changes and building up to the point when the attack payload can be injected (or the changes not actually being harmless if combined the right way).
So not saying this was it, but an AI agent automated attempt at a Xz like compromise might really look very similar what we have just seen here. :P
-- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@fosstodon.org https://www.happyassassin.net
-
Adam Williamson -
mkolman@redhat.com -
nathan