Reactos participation and windows source leaked

Here you can discuss ReactOS related topics.

Moderator: Moderator Team

jimtabor
Developer
Posts: 223
Joined: Thu Sep 29, 2005 3:00 pm

Re: Reactos participation and windows source leaked

Post by jimtabor » Tue Jan 22, 2019 9:58 am

The full history from SVN to GIT seems to be lost.

binarymaster
Posts: 271
Joined: Sun Nov 16, 2014 7:05 pm
Location: Russia, Moscow
Contact:

Re: Reactos participation and windows source leaked

Post by binarymaster » Tue Jan 22, 2019 10:22 am

hbelusca wrote:
Mon Jan 21, 2019 6:26 pm
Ok we know it's a dangling commit, since it is know that GitHub can keep dangling commits. The question is from where does it originate? Because if it was from guy's branch, it would not be in "reactos/reactos".
It may be possible to ask GitHub support to perform a "git gc" on the hosted repo in order to clear all that bullshit.
Maybe somebody once created a Pull Request from his branch, and the main repository fetched and stored that commit (even if the source PR has been closed).

You can always access commits from PRs by hash as if they are already in main repo, for example: This is just how git works.

PurpleGurl
Posts: 1777
Joined: Fri Aug 07, 2009 5:11 am
Location: USA

Re: Reactos participation and windows source leaked

Post by PurpleGurl » Tue Jan 22, 2019 11:58 am

karlexceed wrote:
Mon Jan 21, 2019 10:22 pm
The GitHub user implicated made two other commits on the same day with the same commit title, but different descriptions:
https://github.com/GreenteaOS/Greentea/ ... 632337cf15
https://github.com/GreenteaOS/Greentea/ ... 423f9c8782

But I can't find any evidence as to where the commit in question originated.

The commit is marked as 'Verified', which means it was signed, but that doesn't necessarily mean that it was the GreenTea contributor that did this. See: http://www.jayhuang.org/blog/tag/impersonating/

Literally anyone could have forked ReactOS and made this commit. Someone is definitely trying to stir things up.
Now he did adopt the CoC for his project which helps seed SJW stuff which tends to cause problems in open source projects. I'm wondering if that isn't the intent of some, extorting projects to adopt the CoC or be harassed out of existence. But we have no way of knowing at this time, and I am not assigning blame.

I agree that it might not even be the guy in question. If it is related to SJW stuff, any 3rd-party actor could be involved. Thank you for pointing that out.

Edit: I went back and edited my earlier post. I hope it is more acceptable.

Quim
Posts: 235
Joined: Wed Jul 04, 2018 11:45 pm

Re: Reactos participation and windows source leaked

Post by Quim » Tue Jan 22, 2019 1:11 pm

EmuandCo wrote:
Mon Jan 21, 2019 5:22 pm
@Quim, where did you get this blob link from? Don't tell me you used some random chars and picked a strange random blob by doing so. Someone gave this to you and I'd like to know who.
There is no code linkage to any of our commits, there is no commit access for that PeyTy and never will be due to the sources he uses and there is no Pull request committed by him either. Thus this whole thing smells fishy!
It was published in a Telegram group related to ReactOS (not ReactOS groups). I don`t remember which, because it just disappeared quickly.

I think it was a joke designed to test if it is possible to upload anything in ReactOS code and if you could realize it.

PurpleGurl
Posts: 1777
Joined: Fri Aug 07, 2009 5:11 am
Location: USA

Re: Reactos participation and windows source leaked

Post by PurpleGurl » Tue Jan 22, 2019 1:19 pm

Oh, so more of a meme or a prank? I see. So it might not be directly connected to the other controversy, though it could have helped trigger it or have perhaps been inspired by it.

EmuandCo
Developer
Posts: 4323
Joined: Sun Nov 28, 2004 7:52 pm
Location: Germany, Bavaria, Steinfeld
Contact:

Re: Reactos participation and windows source leaked

Post by EmuandCo » Tue Jan 22, 2019 5:53 pm

I'd call it defamation! If ppl think this is funny, they are free to come by and then I will show them how funny they are! Legal expenses insurance can be really funny though!
Image
ReactOS is still in alpha stage, meaning it is not feature-complete and is recommended only for evaluation and testing purposes.

binarymaster
Posts: 271
Joined: Sun Nov 16, 2014 7:05 pm
Location: Russia, Moscow
Contact:

Re: Reactos participation and windows source leaked

Post by binarymaster » Tue Jan 22, 2019 8:03 pm

Quim wrote:
Tue Jan 22, 2019 1:11 pm
It was published in a Telegram group related to ReactOS (not ReactOS groups). I don`t remember which, because it just disappeared quickly.

I think it was a joke designed to test if it is possible to upload anything in ReactOS code and if you could realize it.
It is still here, not disappeared.

Post was forwarded to spanish community group by Leo:

Image

The original author of the post is PeyTy (not big surprise):

Image

Image

justincase
Posts: 434
Joined: Sat Nov 15, 2008 4:13 pm

Re: Reactos participation and windows source leaked

Post by justincase » Tue Jan 22, 2019 9:01 pm

karlexceed wrote:
Mon Jan 21, 2019 10:22 pm
The commit is marked as 'Verified', which means it was signed, but that doesn't necessarily mean that it was the GreenTea contributor that did this. See: http://www.jayhuang.org/blog/tag/impersonating/

Literally anyone could have forked ReactOS and made this commit. Someone is definitely trying to stir things up.
While anyone can make a commit under someone else's name and push it to GitHub, and it will appear as coming from the person detailed in the commit's metadata, it's unreasonable to suggest that a verified (i.e. signed with this user's key) commit came from someone else, unless you're suggesting that that person has left his key around for others to get their hands on and use. Since this commit was created around the same time as other commits this user made, I'd suggest that the simplest case (this user made the commit) is the most likely.
binarymaster wrote:
Tue Jan 22, 2019 10:22 am
Maybe somebody once created a Pull Request from his branch, and the main repository fetched and stored that commit (even if the source PR has been closed).
No need to create a pull request, just push it to a repository that is a fork of the main repository and the commit id can be used to access it from a url that looks like it's part of the main repository, or that of any other repository forked from the same main repository.
PurpleGurl wrote:
Tue Jan 22, 2019 11:58 am
Now he did adopt the CoC for his project which helps seed SJW stuff which tends to cause problems in open source projects. I'm wondering if that isn't the intent of some, extorting projects to adopt the CoC or be harassed out of existence. But we have no way of knowing at this time, and I am not assigning blame.

I agree that it might not even be the guy in question. If it is related to SJW stuff, any 3rd-party actor could be involved. Thank you for pointing that out.
It seems pretty obvious that this has nothing to do with their CoC, and/or "SJW" stuff, and more to do with the ReactOS Project's stance on not accepting 'possibly tainted' contributions, and the likelyhood of a third party actor doing this is greatly diminished by the fact that the commit is verified.
EmuandCo wrote:
Tue Jan 22, 2019 5:53 pm
I'd call it defamation! If ppl think this is funny, they are free to come by and then I will show them how funny they are! Legal expenses insurance can be really funny though!
I doubt you could make a legal case out of this unless you could prove that someone actively used it to publicly slander the ReactOS Project, but it's good to check into it and be ready, just in case.
I reserve the right to ignore any portion of any post if I deem it not constructive or likely to cause the discussion to degenerate.

karlexceed
Posts: 459
Joined: Thu Jan 10, 2013 6:17 pm
Contact:

Re: Reactos participation and windows source leaked

Post by karlexceed » Tue Jan 22, 2019 9:22 pm

justincase wrote:
Tue Jan 22, 2019 9:01 pm
While anyone can make a commit under someone else's name and push it to GitHub, and it will appear as coming from the person detailed in the commit's metadata, it's unreasonable to suggest that a verified (i.e. signed with this user's key) commit came from someone else, unless you're suggesting that that person has left his key around for others to get their hands on and use.
Did you read the article I linked?
I was able to push code to GitHub as Linus Torvalds...
While I was using my own SSH key to push to a repository that only I was allowed to push to, GitHub showed ‘me’ as ‘Linus’...
What’s more, clicking on the author of that commit takes you to Linus’ GitHub profile...
All I had done was setup git with my SSH key for Github, then changed my git user.email to the same email that is being linked to Linus’ account: torvalds@linux-foundation.org (note that this is publicly available).

justincase
Posts: 434
Joined: Sat Nov 15, 2008 4:13 pm

Re: Reactos participation and windows source leaked

Post by justincase » Tue Jan 22, 2019 9:30 pm

Yes, and while you can push any commits you want, using whatever key you want, it won't show up as verified unless the commit was signed with the key that's registered to that user. It's a very well known bug/feature, and it's not as broken as you seem to think.
github.blog/2016-04-05-gpg-signature-verification

@binarymaster: Good work finding that.
I reserve the right to ignore any portion of any post if I deem it not constructive or likely to cause the discussion to degenerate.

karlexceed
Posts: 459
Joined: Thu Jan 10, 2013 6:17 pm
Contact:

Re: Reactos participation and windows source leaked

Post by karlexceed » Tue Jan 22, 2019 10:06 pm

justincase wrote:
Tue Jan 22, 2019 9:30 pm
signed with the key that's registered to that user.
I'm just working from the information I have. That article is 5 years old now, and you're correct - Github now appears to require that the key be associated with the user's verified email.

It's still the case that if a user's Github credentials are stolen, a new key can be generated with those credentials. You don't necessarily need to have access to an existing private key to sign commits as them.

But I also agree with you that the simplest explanation is usually the correct one.

Since I checked, I will point out - the key ID that was used to sign the commit we're talking about matches with other verified commits from the same user. GPG key ID: 4AEE18F83AFDEB23

PurpleGurl
Posts: 1777
Joined: Fri Aug 07, 2009 5:11 am
Location: USA

Re: Reactos participation and windows source leaked

Post by PurpleGurl » Tue Jan 22, 2019 11:55 pm

I think I was misunderstood above. I didn't say that the CoC and SJW were issues with us. I was thinking that if the leader of GreenTea OS was involved, the fact that he has the CoC for his project could be a motive to discredit us since we don't have that, and SJW types will sometimes use misdirects and even frame others. I never mentioned us having an issue.

So while it may seem like our stance on tainted code sparked things off (a reactionary/defensive stance by the GreenTea OS leader and/or recent blogger), there's just as much possibility that it is an offensive move by a 3rd party to try to promote an agenda. Or the 3rd option, that it was a prank/gag/meme. Memesters can also be politically motivated. Or it could be a combination or all of the above. Regardless, we have no proof, just 3-5 theories, and thus should not accuse.

As for verified, I don't believe that as it did not originate with this project. The origin of the extraneous commits are unclear. So yes, a third party person could use this same hash across projects to make it appear to be a part of another project. So these lines could be in GreenTeaOS and passed off as ours due to the hash trick. The fact that you get this using the hash even if you use .md (text) files shows that anyone can use the hash trick to frame someone.

justincase
Posts: 434
Joined: Sat Nov 15, 2008 4:13 pm

Re: Reactos participation and windows source leaked

Post by justincase » Wed Jan 23, 2019 12:29 am

Just saw PeyTy in mattermost and asked about it.
It may have been in poor taste, but according to PeyTy it was meant only as a joke:
Image

Now can we stop with the crazy theories.
I reserve the right to ignore any portion of any post if I deem it not constructive or likely to cause the discussion to degenerate.

PeyTy
Posts: 5
Joined: Wed Jun 01, 2016 6:16 pm

Re: Reactos participation and windows source leaked

Post by PeyTy » Wed Jan 23, 2019 1:22 am

Hello! I confirm that it is not related to any SJW/whatever or ReactOS hate (I don't like SJWs too, but CoC concept seems to be a nice thing to keep people friendly).

Due to how easily to make fake commits, you probably should fill a wiki page about it, dunno when GitHub will fix this (if ever).

This is where the thing originated: https://twitter.com/andy_kelley/status/ ... 9252648960

It could be not me joking around, but some other guy with intention to harm ReactOS. Be prepared. Sorry it made a mess.

PurpleGurl
Posts: 1777
Joined: Fri Aug 07, 2009 5:11 am
Location: USA

Re: Reactos participation and windows source leaked

Post by PurpleGurl » Wed Jan 23, 2019 2:13 am

Thanks for the explanation. LOL!

No, I don't think GitHub will fix this as they regard it as a feature. It has been brought to their attention and it is currently in the "Won't fix" category.

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 14 guests