Skip to content
feed: live
>_ 0dayNews
supply chain

OpenMandriva ex-contributor wipes GNOME, Cosmic packages

Mumble developer Davide Beatrici used leftover admin from a repo migration to delete OpenMandriva GitHub content and obsolete GNOME, Cosmic packages.

OpenMandriva ex-contributor wipes GNOME, Cosmic packages
Photo: Marshmallych / Wikimedia Commons · GPL
fuse Marisol "Fuse" Delgado · Published · 4 min read

If you run a small open-source project and a contributor who once helped you move infrastructure is no longer on the team, this is your reminder to actually go pull their admin. OpenMandriva posted on Thursday that Davide Beatrici, best known as the lead developer of the Mumble voice-chat project, used administrative privileges he still held from a repository-migration project to delete GitHub content and push an empty package into the distribution’s Cooker development repo that obsoleted the GNOME and Cosmic desktop packages. BleepingComputer’s writeup went up the same day; OpenMandriva developer AngryPenguin posted the community-facing summary on the project forum.

There is no CVE here. There isn’t going to be one. This is not the kind of thing a patch closes — it’s an access-review failure with a name attached, and the honest version of that story is a lot more common than the CVE feed makes it look.

What changed

The timeline OpenMandriva put out is short. Beatrici had admin rights from an earlier stretch when he helped migrate the project’s repositories to his own private OneDev instance. When his active involvement ended, those rights didn’t. He used them, on his way out, to delete Cosmic and GNOME repository content on GitHub and to push an empty package to Cooker — the distribution’s rolling development branch — that marked the GNOME and Cosmic desktop-environment packages as obsolete. If you’re a downstream user of Cooker, an empty package flagged Obsoletes: for a whole desktop is not a subtle change; the next upgrade run drops the desktop. That is the class of blast radius we’re talking about.

Beatrici’s stated reason, quoted in BleepingComputer’s piece, is a disagreement with the project’s focus on KDE and LXQt at the expense of GNOME and Cosmic, and specifically with project members deleting build spec files “without consultation.” His own framing: “The objective was not to harm the distribution I cared for and contributed to for the past 3 years.” I don’t grade motive here. The output was destructive; that’s what matters for how the rest of the ecosystem should react.

OpenMandriva’s response, in their own words, is that they are “currently restoring the deleted repositories and packages and is conducting a full system audit to determine any other unauthorized changes.” They also decided not to pursue legal action, while explicitly characterizing the actions as “a criminal offense.” Read that as a small-project economic decision, not an endorsement of the behavior. Lawyers cost money OpenMandriva doesn’t want to spend on someone who is now radioactive in the community anyway.

What to actually do

If you maintain a FOSS project — distribution, package, plugin, anything with a git forge behind it — this week:

  • Pull the org-membership list on every forge you use and reconcile it against your current active contributors. GitHub, GitLab, Codeberg, self-hosted Gitea, self-hosted OneDev, the whole set. “Active” means someone who is doing project work right now, not someone who was helpful in 2023. Everyone else drops to reader access at most.
  • Revoke migration-era admin the day the migration ships, not “when you get to it.” The pattern in the OpenMandriva incident is the pattern every migration produces: temporary elevated access, granted so someone can move data, that outlives the reason it existed. Put an expiry on the elevated role or tie it to a ticket that has to close before the next release. Either way, don’t let admin become the default state.
  • Require two-of-N for destructive package operations on the release-facing repo. Deleting a package, force-pushing to a branch, publishing an Obsoletes: that unwinds a whole desktop — these are the actions that need a second pair of eyes, not the routine per-commit review. Most forges support branch-protection rules and required reviews on tag pushes. Use them on the branch that ships to users.
  • Log the destructive operations to somewhere the actor doesn’t control. If the log of “who deleted the GNOME repo” lives on the same forge that got sabotaged, you’re relying on the attacker’s honor system for forensics. Ship the audit stream to any second location — a Discord webhook, a Matrix room, an S3 bucket, whatever you already run — so that the “full system audit” step OpenMandriva is doing now doesn’t have to be reconstructed from cached tabs.

And one call that will be unpopular in small-project culture: do offboarding. Communities built on trust don’t love the framing, and I get it — this is somebody who contributed for three years, and now you’re the person emailing them to say the token is gone. Do it anyway. The choice is between an awkward five-minute email when someone drifts away, and a week of AngryPenguin restoring repos while wondering what else got touched. Pick the email.

The honest short version

Contributor with old admin credentials went sideways after a policy dispute and used the credentials to break things. Nothing about that story requires a novel attack technique, a nation-state actor, or a supply-chain research paper — it just requires that nobody rotated the credential when the relationship changed. Rotate the credential.

If you’re a downstream user, OpenMandriva says they are restoring the affected repos and packages and running an audit; sit tight on Cooker for a day or two until they publish the all-clear rather than pulling mid-restore. If you’re a maintainer anywhere else in FOSS, the timer on that access-review you’ve been putting off started this morning.

Sourcing

Found this useful? Share it.