Internal Sabotage Rocks OpenMandriva Linux Project
The **OpenMandriva Linux** project recently faced an attempted act of internal sabotage following a dispute among contributors. This destructive action included the wiping of **GitHub** repositories and the pushing of a malicious package, highlighting the significant risks open-source projects can face from within.
The **OpenMandriva Linux** project, an independent and community-run Linux distribution forked from **Mandriva Linux** in 2012, has reported an attempted internal sabotage.
The incident, stemming from a dispute among contributors, saw critical project assets targeted, raising alarms about insider threats in open-source development.
### The Act of Sabotage
According to **AngryPenguin**, a long-time **OpenMandriva** developer and maintainer, the sabotage attempt followed "abusive behavior towards certain users and members of the distribution" by a contributor, leading to some individuals leaving the project.
**Davide Beatrici**, a lead developer for the instant messaging app **Mumble** and an associate of the alleged instigator, is accused of deleting a significant portion of a repository that the **OpenMandriva** team had been developing for nearly a decade. **Beatrici** reportedly had administrative privileges, gained from assisting with the migration and mirroring of project repositories to his private **OneDev** instance.
Beyond the data wipe, **Beatrici** also published an empty package in the **Cooker** repository. This package was designed to obsolete existing packages for the **Gnome** and **Cosmic** desktop environments, potentially causing significant system damage to users.
### Project Response and Restoration
The **OpenMandriva** team is actively working to restore the deleted repositories and packages. A comprehensive system audit is underway to identify any other unauthorized changes and ensure the integrity of the project's infrastructure.
### The Accused's Defense
**Beatrici**, when contacted, denied the accusation of sabotage. In a statement to The Lunduke Journal, he asserted that his actions were not intended to harm the **OpenMandriva** community or its users.
"Let me state right away that this was by no means a 'sabotage.' I'm not the kind of person to do something like that," **Beatrici** stated. "The objective was not to harm the distribution I cared for and contributed to for the past 3 years. I carefully deleted all **Cosmic** and **GNOME** repositories from **GitHub**, the corresponding packages on **Cooker** (development branch) and pushed a package obsoleting them."
**Beatrici** indicated that his actions were triggered by a disagreement with certain project members regarding **OpenMandriva's** focus on **KDE** and **LXQt**. He also criticized these members for allegedly deleting the ".onedev-buildspec.yml" file from several repositories without prior consultation, questioning their commitment to security and Git commit history hygiene.
### Legal Ramifications and Community Decisions
Despite the severity of **Beatrici's** actions, which **AngryPenguin** stated on behalf of the **OpenMandriva** team could constitute a criminal offense, the project has decided not to pursue legal action against the former contributor.
This incident serves as a stark reminder of the unique security challenges faced by open-source projects, where trust and collaboration are paramount, but internal conflicts can lead to significant vulnerabilities and data loss.