Malicious Contributions: Abridged

Let this thread act as a table of contents for the software contributions found to be malicious or done in ill intent. With every story that you send in the comments, I will add a respective entry to the list in chronological order. Each entry in the chronology will show the date and the appropriate name, linking to your comment.

Please, give a summary in the words that you understand, point out the date it was effective and provide reliable links. These links may include the detailed report (required), malicious source and the fix (if any).


Is it a good contribution or a bad one? One likes your software, another will inevitably ruin it.
vintprox OP Mod , (edited )
vintprox avatar

Insulting Ukrainian strings in Ubuntu 23.10 installer

Around September 22nd, Ukrainian release of the recent Ubuntu installer has been sabotaged by a malicious contributor that inserted translations with hate speech. Team has seemingly excluded Ukrainian files to be on the safe side, but a fix was soon proposed to remove commits by the aforementioned malefactor instead of what looks like a cut-and-dry approach (that only happily obliges the attacker).

melroy Admin ,
melroy avatar

Yea, Canonical removed Ubuntu 23.10 due to this. Maybe at some mirrors you could still download this not so friendly version of Ubuntu. But by now the download link should work again and Canonical fixed the problem.

vintprox OP Mod , (edited )
vintprox avatar

The important takeaway for me was that, like @AustinPowers1935 dealing with malefactor's remnants, we need to come up with the better solution, not simply quarantine "modules" (in this case, entire translation).

Yes, disabling locale for the installer looks like a correct thing to do by Canonical's protocol and it's safe - but it is also malleable to the whims of outside contributors going unchecked. That "Danilo" troll is probably laughing in their cage of a room about how their mischief has caused an alleged drop in Ukrainian userbase of Ubuntu, even if the effects of hate speech AND the lack of installer (on top) were there just for a short while.

This all has birthed in the team a late realization about how resilient Canonical's review process should be.

melroy Admin ,
melroy avatar

My take away is how can we prevent this from happening. A PR will be created from Weblate towards GitHub. I think there people can peer-review the translations before it's getting merged.

EDIT: The problem is you can't read all languages maybe. So translation PRs might require multiple approvals.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • tech
  • insurance
  • testing
  • drbboard
  • updates
  • til
  • programming
  • bitcoincash
  • marketreserach
  • wanderlust
  • Sacramento
  • All magazines