OpenMandriva contributor deleted GNOME and Cosmic repos
Davide Beatrici, a three-year OpenMandriva admin, deleted the Cosmic and GNOME repositories and pushed an obsoleting empty package into Cooker on July 8.
OpenMandriva said this week that a longtime contributor with three years of admin access to its GitHub organization deleted the project’s Cosmic and GNOME desktop repositories in the early hours of July 8, and pushed an empty package to the Cooker development branch that obsoleted the existing GNOME and Cosmic packages — a move that, had it reached users through a routine update, would have quietly removed both desktop environments from any system tracking Cooker.
The contributor was Davide Beatrici, a Mumble developer who had been with the project long enough to have volunteered, earlier, to migrate its repositories to his own OneDev instance — how the admin rights arrived in the first place. The forum post by longtime maintainer AngryPenguin describes the sequence bluntly: a separate contributor’s conduct in the project’s Matrix chat prompted their removal from the channel; Beatrici and one other person left in protest; and, hours later, the deletions and the obsoleting package showed up under his account. Beatrici’s response, given to BleepingComputer, is that it “was by no means a ‘sabotage.’” OpenMandriva called the actions a criminal offense in the same statement, then said it did not plan to pursue legal action.
The technical shape of this — a maintainer with commit and admin rights using them to destroy work during an interpersonal dispute — is not new, and it isn’t really about OpenMandriva. It is the same category of risk that XZ Utils turned into a headline the year before last: distribution security still rests on a small number of people, each holding keys the project cannot easily revoke without breaking itself, and the process for deciding who gets those keys is more often social than procedural. The difference is only that XZ’s Jia Tan spent years building the trust before spending it, and Beatrici, on the current account, spent his in a night.
There is a boring, worth-repeating detail underneath the drama. The sabotage vector was an empty package that obsoleted GNOME and Cosmic — a completely legitimate operation, done with legitimate rights, that would have shipped to users through the ordinary Cooker pipeline. It did not require a vulnerability, a stolen credential, or a novel technique. It required admin. Distributions have, for decades, treated the developer-repository boundary as the trust boundary that matters, because past that point almost everything downstream is automated. That’s still the model. Same mistake, different decade: the pipeline is the person.
The npm and PyPI incidents that have dominated coverage this month —
the Injective Labs GitHub compromise pushing the wallet-stealing
@injectivelabs/sdk-ts
release,
the DPRK’s continued rollup-polyfill
work, the
npm 12 default of disabling install
scripts
— all sit on the same axis. Whether the maintainer is compromised, is a
plant, or, as here, is just angry, the mechanics are identical from the
project’s side. Downstream, an empty obsoleting package looks like any
other package.
For OpenMandriva users the operational note is unglamorous. Cooker is the development branch, not the stable one. If you weren’t tracking Cooker on July 8 there’s nothing to do. If you were, and updated in that window, check whether GNOME or Cosmic went missing and reinstall from the restored packages once the project’s audit and restore work lands. OpenMandriva says both are underway.
The uncomfortable question isn’t for OpenMandriva. It’s for every project of comparable size that has one admin because that admin volunteered, one afternoon three years ago, to move things over.
Found this useful? Share it.


