A Freenode-esque hostile takeover of the project is presently unfolding[1][2]. Recommend p.masking (-9999 at least) and last-riting as it's only downhill from here. games-action/multimc-bin is still in portage as a migration path. [1]: https://floss.social/@modrinth/109185261746948078 [2]: https://github.com/PolyMC/PolyMC/commit/ccf282593dcdbe189c99b81b8bc90cb203aed3ee
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b211050943eeda2974b0f54538b6e9245825a7e commit 4b211050943eeda2974b0f54538b6e9245825a7e Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2022-10-17 20:09:14 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2022-10-17 20:09:50 +0000 games-action/polymc: drop 9999 Bug: https://bugs.gentoo.org/877495 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> games-action/polymc/polymc-9999.ebuild | 147 --------------------------------- 1 file changed, 147 deletions(-)
Is there any way that the compromise can affect the non-live package in Gentoo?
I'm dropping 9999 until the situation resolves itself. I think we can keep the release version 1.4.2 because we check the hash of the download tarball so if there is any tampering there we will know.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3fe899821fbdc51e18734a39c259a3709744792 commit c3fe899821fbdc51e18734a39c259a3709744792 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2022-10-17 20:15:45 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2022-10-17 20:15:45 +0000 profiles: mask polymc-9999 Bug: https://bugs.gentoo.org/877495 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+)
(In reply to John Helmert III from comment #2) > Is there any way that the compromise can affect the non-live package in > Gentoo? I'm pretty sure we should be fine on the non-live packages. AFAIK the software does not interact with any servers they own. @flowlnlnln can you confirm this?
sorry im not home to take care of this. yes the launcher does interact with the meta server thats also hijacked. users should at least change it under the launcher api settings to prevent anything bad...
(In reply to Thiago from comment #6) > sorry im not home to take care of this. yes the launcher does interact with > the meta server thats also hijacked. users should at least change it under > the launcher api settings to prevent anything bad... Should we mask the whole package then?
probably, but still current users should change that too
(In reply to Thiago from comment #6) > sorry im not home to take care of this. yes the launcher does interact with > the meta server thats also hijacked. users should at least change it under > the launcher api settings to prevent anything bad... Oh, that's a bother. I thought its third-party integration was limited to pastebin log uploading. Thanks all for the extremely quick response.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d82e59ee8de932522b8282d3f144aaa3cb56a2cd commit d82e59ee8de932522b8282d3f144aaa3cb56a2cd Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2022-10-17 20:27:34 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2022-10-17 20:27:34 +0000 profiles: mask all versions of polymc Bug: https://bugs.gentoo.org/877495 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> profiles/package.mask | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
Summary additions to this issue to add viewed by referring to public comments regarding these events. The current github project "owner" appears to be transphobic and the questionable "hostile" takeover appears to surround deletion of a code of conduct from the git project repo. https://github.com/PolyMC/PolyMC/commit/ccf282593dcdbe189c99b81b8bc90cb203aed3ee https://www.reddit.com/r/PolyMCLauncher/comments/y6k4x7/switch_off_of_polymc_asap/ Currently there doesn't appear to be a security concern. Just poor morality concerns that understandably triggered a LOT of more socially accepting humanoids.
(In reply to Michael Crawford (ali3nx) from comment #11) > Summary additions to this issue to add viewed by referring to public > comments regarding these events. Worth noting that all other project members have been removed by the organisation, including the Gentoo maintainer.
(In reply to Sam James from comment #12) > (In reply to Michael Crawford (ali3nx) from comment #11) > > Summary additions to this issue to add viewed by referring to public > > comments regarding these events. > > Worth noting that all other project members have been removed by the > organisation, including the Gentoo maintainer. that is certainly a valid a concern. There's currently no vulnerable code commits but that may yet still occur. I suspect Github could possibly become involved in restoring the project to responsible contributors if enough people made some noise about it surrounding the concerns within the context of the true root cause but until that happens if it does someone succeeded at ruining support for a useful software project.
(In reply to Michael Crawford (ali3nx) from comment #13) > (In reply to Sam James from comment #12) > > (In reply to Michael Crawford (ali3nx) from comment #11) > > > Summary additions to this issue to add viewed by referring to public > > > comments regarding these events. > > > > Worth noting that all other project members have been removed by the > > organisation, including the Gentoo maintainer. > > that is certainly a valid a concern. There's currently no vulnerable code > commits but that may yet still occur. > > I suspect Github could possibly become involved in restoring the project to > responsible contributors if enough people made some noise about it > surrounding the concerns within the context of the true root cause but until > that happens if it does someone succeeded at ruining support for a useful > software project. As hinted upthread (comment #6), this program is basically a vehicle for LD_PRELOAD-over-http, and the server that provides that arbitrary code is also compromised. That's pretty much game over as far as fixing it.
(In reply to Michael Crawford (ali3nx) from comment #11) > Summary additions to this issue to add viewed by referring to public > comments regarding these events. > > The current github project "owner" appears to be transphobic and the > questionable "hostile" takeover appears to surround deletion of a code of > conduct from the git project repo. > > Currently there doesn't appear to be a security concern. Just poor morality > concerns that understandably triggered a LOT of more socially accepting > humanoids. I wanted to pop in some context from someone who was a very, very early contributor to the project, for example the About page was overhauled by me, along with submitting some bugfixes. I'm still sitting on patches for enabling system icons too :-p This is nothing surprising at all unfortunately. I interacted with Lenny very little, but he definitely stood out as someone unprofessional right from the get-go. He's not even a major code contributor either, it's all held up by devs like Scrumplex, even from the very beginning. It's just unfortunate all of these Minecraft launchers seem to have this bad attitude around them. I know game modding in general is not a highly regarded community, but Minecraft seems to draw out the worst people it seems.
To clarify what is going on, and what will likely happen to this package: Considering all that's happened until now, it seems very unlikely that we'll get back the PolyMC project as a whole. Instead, me, the previous maintainers that weren't involved in this incident, and a couple other trustworthy people, will probably be forking PolyMC for good. For now, it's still very early to know what will happen for sure, but my plan is to remove the polymc package from the repos, since it's not trustworthy anymore, and *if* a more robust / trustworthy governance over the new project / fork can be achieved, such that this sort of problem won't happen again by any means, then it could perhaps be repackaged as the new fork. It would probably take some time for things to shape up and for the trust to be regained... Perhaps it could be placed in the GURU repo or something, I don't know. Sorry to all the Gentoo people who had to deal with this situation... You are amazing. :)
Thiago, as soon as you have something ready to roll, please submit it to ::gentoo and we'll get it in. No need to go via guru. Thanks for your work!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cacfa151958efec7c8e5f893e98809e15d6b0c28 commit cacfa151958efec7c8e5f893e98809e15d6b0c28 Author: Thiago Donato Ferreira <flowlnlnln@gmail.com> AuthorDate: 2022-10-19 22:03:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-20 04:22:23 +0000 games-action/prismlauncher: add 5.0 Bug: https://bugs.gentoo.org/877495 Signed-off-by: Thiago Donato Ferreira <flowlnlnln@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/27860 Signed-off-by: Sam James <sam@gentoo.org> games-action/prismlauncher/Manifest | 1 + .../prismlauncher/prismlauncher-5.0.ebuild | 147 +++++++++++++++++++++ 2 files changed, 148 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a56bea75ed3a0b6795a4c2446422ef38367e13a6 commit a56bea75ed3a0b6795a4c2446422ef38367e13a6 Author: Thiago Donato Ferreira <flowlnlnln@gmail.com> AuthorDate: 2022-10-19 00:13:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-20 04:22:22 +0000 games-action/prismlauncher: new package, add 9999 This is mostly an adaptation of the games-action/polymc ebuild, considering we're a 2-day old fork of it. Bug: https://bugs.gentoo.org/877495 Signed-off-by: Thiago Donato Ferreira <flowlnlnln@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> games-action/prismlauncher/metadata.xml | 26 ++++ .../prismlauncher/prismlauncher-9999.ebuild | 143 +++++++++++++++++++++ 2 files changed, 169 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5dfb24525e2b5ef596fd03e1fd2bdf5e241f4ada commit 5dfb24525e2b5ef596fd03e1fd2bdf5e241f4ada Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-20 04:26:31 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-20 04:26:31 +0000 profiles: mention games-action/prismlauncher as polymc alternative Bug: https://bugs.gentoo.org/877495 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ea86dea4fb6a07406c7a76f48f2b96275bcda37 commit 3ea86dea4fb6a07406c7a76f48f2b96275bcda37 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2022-10-20 07:30:12 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2022-10-20 07:30:12 +0000 package.mask: last-rites games-action/polymc Bug: https://bugs.gentoo.org/877495 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> profiles/package.mask | 3 +++ 1 file changed, 3 insertions(+)
It seems a bit far-fetched to say that someone would push malicious code to a public, open source project, for everyone to see, knowing that it's highly illegal and could land them in jail for a few years. And I can confirm that Lenny has not been compromised, everything done was of his own volition, and will be making sure that no malicious code ever lands into PolyMC. I will also vet each release and make sure it's legit.
(In reply to Carson Rueter from comment #21) > It seems a bit far-fetched to say that someone would push malicious code to > a public, open source project, for everyone to see, knowing that it's highly > illegal and could land them in jail for a few years. And I can confirm that > Lenny has not been compromised, everything done was of his own volition, and > will be making sure that no malicious code ever lands into PolyMC. I will > also vet each release and make sure it's legit. Regardless of your opinion of the guy, PolyMC isn't the same project as it was before. With developers going elsewhere, there's really no reason to keep it around.
(In reply to John Helmert III from comment #22) > (In reply to Carson Rueter from comment #21) > > It seems a bit far-fetched to say that someone would push malicious code to > > a public, open source project, for everyone to see, knowing that it's highly > > illegal and could land them in jail for a few years. And I can confirm that > > Lenny has not been compromised, everything done was of his own volition, and > > will be making sure that no malicious code ever lands into PolyMC. I will > > also vet each release and make sure it's legit. > > Regardless of your opinion of the guy, PolyMC isn't the same project as it > was before. With developers going elsewhere, there's really no reason to > keep it around. There are still, however, a variety of people who will continue to use PolyMC. The amount of people who will continue is significant enough, in my opinion, to warrant keeping this ebuild around.
(In reply to Carson Rueter from comment #23) > There are still, however, a variety of people who will continue to use > PolyMC. The amount of people who will continue is significant enough, in my > opinion, to warrant keeping this ebuild around. Someone will need to volunteer to maintain it in Gentoo then.
(In reply to Carson Rueter from comment #23) > There are still, however, a variety of people who will continue to use > PolyMC. The amount of people who will continue is significant enough, in my > opinion, to warrant keeping this ebuild around. I'll cut through the bullshit for the benefit of everyone else here: you're only here because you're incandescent over no longer having proxy-maintainer control over an ebuild in ::gentoo, and possibly because your troll buddy egged you on to throw a tantrum. You assume everyone here is a gullible idiot who'll buckle at the weakest rhetoric, and to be blunt, that's projection on your part. Enjoy your ghost town of a github project and your unfunny 4chan memes, because you ain't ever getting this back.
(In reply to Sam James from comment #24) > (In reply to Carson Rueter from comment #23) > > There are still, however, a variety of people who will continue to use > > PolyMC. The amount of people who will continue is significant enough, in my > > opinion, to warrant keeping this ebuild around. > > Someone will need to volunteer to maintain it in Gentoo then. I'm currently a proxy maintainer. Although if you mean someone with push access then yeah.
(In reply to Enne Eziarc from comment #25) > I'll cut through the bullshit for the benefit of everyone else here: you're > only here because you're incandescent over no longer having proxy-maintainer > control over an ebuild in ::gentoo, and possibly because your troll buddy > egged you on to throw a tantrum. You assume everyone here is a gullible > idiot who'll buckle at the weakest rhetoric, and to be blunt, that's > projection on your part. > > Enjoy your ghost town of a github project and your unfunny 4chan memes, > because you ain't ever getting this back. Does that have any relevance to the fact that PolyMC has a user base that would find an ebuild useful?
> There are still, however, a variety of people who will continue to use > PolyMC. The amount of people who will continue is significant enough, in my > opinion, to warrant keeping this ebuild around. > Does that have any relevance to the fact that PolyMC has a user base that > would find an ebuild useful? IMO, since most of the development has moved it makes sense for the users to also move to the new fork. Maintaining ebuilds for both versions is double the work, for no extra benefit. That being said, if someone is willing to put in this extra effort they are free to do so. Just don't expect me to act as a proxy for that, because I for one won't be rewarding Lenny's toxic and unprofessional behaviour by continuing to package polymc when there is a perfectly fine fork available. @Carson is right though about this not really being a security bug any more. The initial concerns were that a malicious individual had gained access to one of the developers accounts. Now we know that this is not the case, and that this is a case of toxic and unprofessional behaviour and not necessarily a security leak. I think it therefore makes sense to re-assign the bug.
I think this *is* a security issue, given https://bugs.gentoo.org/877495#c14. However, given there's no any clear attempt at exploitation, there not much more we can do here but wait for last rites to expire.
(In reply to Andrew Ammerlaan from comment #28) > IMO, since most of the development has moved it makes sense for the users to > also move to the new fork. Maintaining ebuilds for both versions is double > the work, for no extra benefit. > > That being said, if someone is willing to put in this extra effort they are > free to do so. Just don't expect me to act as a proxy for that, because I > for one won't be rewarding Lenny's toxic and unprofessional behaviour by > continuing to package polymc when there is a perfectly fine fork available. Yeah I'm willing to continue ebuild maintenance here. If not, I can still create my own overlay.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19a8f17595a0e1717879a2f2626d13da2dbabc6f commit 19a8f17595a0e1717879a2f2626d13da2dbabc6f Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2022-11-06 07:59:23 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2022-11-06 07:59:45 +0000 games-action/polymc: treeclean Bug: https://bugs.gentoo.org/877495 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> games-action/polymc/Manifest | 1 - .../polymc/files/polymc-1.4.1-include_QDebug.patch | 16 --- games-action/polymc/metadata.xml | 29 ----- games-action/polymc/polymc-1.4.2-r2.ebuild | 135 --------------------- profiles/package.mask | 11 -- 5 files changed, 192 deletions(-)
Thanks all! All done here, though I wonder if there's any use in keeping the package.mask entry a bit longer just in case.
I explicitly said I would take over maintainership, and that generally means that you shouldn't delete the entire package. Disappointed in the lack of respect, but no matter, I suppose I'll make an overlay.
