4.14.7 release was deleted

Question

4.14.7 release was deleted

Closed this issue 2 months ago · 9 comments

See https://bugs.gentoo.org/935453. It appears 4.14.7 was yanked. Please don't ever delete releases, especially not for a security-critical package. It destroys provenance and raises alarm bells.

If a release is broken, please add a note to the release notes and issue a new release.

Answer 1 · 2024-07-04T20:59:33.000Z

I noticed a few days ago, but didn't know when or how it happened. I noticed some glitches while uploading some of the more recent versions (github misbehaved: it didn't allow me to publish a release for several attempts), so I guessed/assumed it would have been some github glitch what removed 4.14.7. But don't know what happened exactly.

Answer 2 · 2024-07-04T21:07:10.000Z

I have the original release tarballs in my own server

http://www.alejandro-colomar.es/share/dist/shadow/4/4.14/4.14.7/

but I didn't want to re-upload it because that would obviously be suspicious. But if anyone needs it, it's available there. Just check the signature, and compare a checksum with one of the old github release, if anyone keeps it.

Answer 3 · 2024-07-04T21:37:40.000Z

If anyone knows how to report a bug to github, feel free to do so. It'd be interesting to learn what the hell happened, because as you say, it's pretty bad. If they can show logs of how that happened, that would be good.

Answer 4 · 2024-07-08T01:02:47.000Z

There's a bug form here.

Given that we don't know what you did or how you did it, I don't think anyone can file a bug on your behalf.

Answer 5 · 2024-07-08T07:06:51.000Z

There's a bug form here.

Given that we don't know what you did or how you did it, I don't think anyone can file a bug on your behalf.

Done. https://support.github.com/ticket/personal/0/2874751

Although, I think that link is private, and don't see any button to make it public. :|

Answer 6 · 2024-07-08T07:10:07.000Z

I've created one on behalf of shadow-maint. Maybe this gives visibility at least to other maintainers...

https://support.github.com/ticket/personal/0/2874769

Answer 7 · 2024-07-08T15:11:14.000Z

Github support said this is in their logs:

{
"action": "release.destroy",
"actor": "hallyn",
"created_at": "2024-05-25 18:33:57 +0300",
"name": "4.14.7: Casín aged++++++",
"repo": "shadow-maint/shadow"
}

It was removed in 2024-05-25, it seems.

Cc: @hallyn

Answer 8 · 2024-07-10T12:37:01.000Z

It does look like I did this (rather than my account being compromised). The ip address and firefox history are plausible, though with webapp stuff there's no concrete "delete this release" page.

If I did, the our guess is that when Alejandro asked me to delete the 4.14.x branch, I deleted that release instead. I cannot imagine why I would not have just isssues the git command on command line. But if I did not have my yubikey, it is conceivable.

Answer 9 · 2024-07-11T10:00:51.000Z

Here's the request for branch removal that @hallyn referenced: #926 (comment)