In the Drupal slack, I came across a message from @mxh saying that somebody suddenly had maintainer permissions on the Imagepin project. To mxh's knowledge, this access was not handed out by mxh or any of the other comaintainers (though he also said that he did not investigate in the interest of not wasting time -- full conversation is below).

I did some looking and it appears that the user in question is @nitesh624. Given his other contributions + social media presence, I believe that he means well and was probably given access by somebody who had access to do so. It appears that this access was requested/granted via some informal means (perhaps by direct email or something), as I could not find any issue in the imagepin or projectownership queue requesting access to this project. The revision history on the project also does not show maintainership changes as far as I can see (which would be very useful), so it's not clear who would have made this change. We also don't retain watchdog logs long enough to be able to see when those changes would have been made, so I wasn't able to glean any additional information from that avenue either.

The reason that I bring this up is that if this access was truly unauthorized, it represents a significant supply chain vulnerability for any Drupal site. I'm inclined to believe that this was a simple miscommunication somewhere + not following the standard request process, but let's be certain that's all it was.

I'm aware of https://www.drupal.org/project/site_moderators/issues/3218459, but the events referenced here happened in early April (before the new project takeover process was finalized/published).

I have elevated access on Drupal.org, but the information that follows is everything relevant that my access allows me to view (as far as I know). Since I can't come to any specific conclusion on this on my own, I thought it would be best to bring this to the attention of a wider group of admins.

As far as I can see, this is the timeline of relevant events:

Timeline:

August 11, 2020:

  • Imagepin project was edited by chr.fritsch: https://www.drupal.org/node/2864156/revisions/12023750/view (the length of time between this edit and the next one + any activity from nitesh624 on the project is the biggest open question in my mind -- did chr.fritsch give nitesh624 access on this edit & nitesh624 just didn't have time to do anything with the project until 8 months later? or was this edit unrelated?)

April 10, 2021:

April 11, 2021:

May 5, 2021:

June 23, 2021:

Link to slack thread: https://drupal.slack.com/archives/CJ93UNJP4/p1634749470426400 (this probably won't be around for much longer since history in the Drupal slack is not preserved)

5d
alison:bi-heart:  Hi folks!  At some point in the past, someone created a 2.x branch on the project I now maintain -- it hasn't been committed to in quite a while, we're just using the 1.x branch -- and there are no commits on 2.x that aren't on 1.x.  Fortunately, the 2.x branch is not mentioned on the project page.
Is it ok if I simply delete the branch...............? (edited) 

5d
alison:bi-heart:  https://www.drupal.org/project/nodeaccess
https://git.drupalcode.org/project/nodeaccess/-/tree/8.x-2.x (edited) 

5d
dww  If there’s a -dev release pointing to it, you can’t delete the branch. If not, and there’s no difference, sure, you can delete it.

5d
alison:bi-heart:  Gotcha, no -dev release pointing to it -- awesome, thank you!

5d
mxh  I’m having a similar situation, and someone actually created a -dev release on it, so I cannot delete that useless branch. The guy who created this branch also was someone suddenly having maintainer permissions on this project, without any pre-notification to me (I am the author of this module and also still an active maintainer of it). The project is this one: https://www.drupal.org/project/imagepin

5d
mxh  TBH this was not something positive for me as this came by total surprise, and the “maintainer” also added untested commits and created new releases that broke stuff that I had to take care of. As a conclusion and after several weeks still not responding to my questions asked in the issue queue regards the created 2.x branch, I decided to remove him from the maintainer list.

5d
alison:bi-heart:  Oh my goodness, I just realized the 8.x-2.x branch was created from 7.x-1.x :pika-facepalm:
So technically, there are commits on it that aren't on its parent branch, but there's still no -dev release connected to this branch...

5d
alison:bi-heart:  I created posterity_8.x-2.x, and deleted 8.x-2.x -- because, yikes, so confusing, and also so 8.x-2.x is available to user later........ (even if we go to semantic versions, having 2.0.0 and 8.x-2.x hanging around would be, y'know, awful)

5d
alison:bi-heart:  @mxh oof that's a nightmare :confused:

5d
dww  Oooof and a new release for every commit, it seems. Yikes. How did they become a maintainer? (edited) 

5d
mxh  I don’t know how they became a maintainer, didn’t take the time to investigate.

4d
cweagans  @mxh hi, when did this happen? (edited) 

3d
mxh  Few months ago - I’d also like to note here that I’m not intending to start a debate regards this case. It was an unfortunate situation that took time and could have even brought even worse consequences for me (e.g. by losing a client), but things didn’t get that far, so I decided not to waste more time on this.

1d
cweagans  Totally understand. I would like to investigate a bit and see how that would have been possible. People just randomly getting maintainership over a project on Drupal.org represents a fairly major security issue from my standpoint. @mxh did you report this to anyone at the time that it happened? And can you please DM me the name of the user who became a maintainer if you have it handy?

10h
mxh  @cweagans I appreciate your interest in this one, though I’m afraid that it could get to even more time to be wasted, and I do not want to generate trouble for people who might somehow be related with that problem but are in fact not directly responsible for it. I decided to not investigate any further at that time, thus I also didn’t report it to anyone. The problems that raised up were reported in the issue queue of the above linked project, so if you’d want to investigate further, this place is a good starting point. One important thing to note is: In the issue queue of that module, there is no issue that requests co-maintenance for this project. Some other notes: The project was on a “Seeking co-maintainer” state once, as I was looking for someone who could’ve joined to maintain this project (but using the standard appliance process for it). Another note is that this project already has further maintainers other than me, and it was me who added them, and I know all of them, so I highly doubt - though not completely to be excluded - that anyone of them added the person that suddenly committed non-reviewed stuff.

Comments

cweagans created an issue. See original summary.

cweagans’s picture

cweagans
He/Him
Primary language English
Location Boise, ID, USA
commented
Issue summary: View changes
cweagans’s picture

cweagans
He/Him
Primary language English
Location Boise, ID, USA
commented

Just to be clear: the intent of this issue is not to start a witch hunt or anything. I'm sure there's a reasonable explanation for everything detailed above. I think it's important to just get to the bottom of it and be sure that there isn't a problem with our project access control mechanisms.

drumm’s picture

drumm
he/him
Location NY, US
commented

Edits to the project and maintainership changes are technically completely unrelated. Project node edits are just the content. Maintainership is not stored in a field and happens separately from content edits.

All 7 co-maintainers have access to add new maintainers to the project, so technically-authorized maintainership granting could have happened in many ways.

2.0.x branch was created (presumably by nitesh624, but I don't think we log branch creation anywhere that I have access to)

This is confirmed by https://git.drupalcode.org/project/imagepin/activity

hestenet’s picture

hestenet
He/Him
Location Portland, OR 🇺🇸
commented

I think I would agree that the most likely scenario is that a well-meaning person granted maintainer rights. The most common way this happens informally (without an issue paper trail) is when one maintainer grants it to another - and since it sounds like we haven't checked with all the existing maintainers yet, that's what I would recommend doing first (and or messaging @nitesh624 and asking!):

mxh
Andre-B
chr.fritsch
fago
mbm80
michaellenahan
shagel

If it was none of the existing maintainers than I wonder if it was some sort of mixup that was meant to be granted for a different module and someone just had the wrong tab open.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

I looked at the comments/posts created from the user, but I didn't find any request to become maintainer. I also checked if I received emails from the user, but I didn't find any.

I hope the explanation is that the user contacted one of the maintainers, who added him as co-maintainer/maintainer, not that there is an issue with the project access control.

drumm’s picture

drumm
he/him
Location NY, US
commented

As far as I can tell, there are no watchdog logs of maintainership changes, so if we want to really track this down, it'll mean rehydrating HTTP logs from a year ago. https://git.drupalcode.org/project/imagepin/activity confirms someone added nitesh624 as a co-maintainer Sep 24, 2020. Likely, this was one of the other co-maintainers adding them.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

I contacted the user asking to which users he asked to become maintainer/co-maintainer and which user added him. I said I was just trying to understand what happened, since no issue has been posted for that.

pasqualle’s picture

pasqualle
Location 🇭🇺 Budapest
commented

Time to revive #1245352: Activity integration for Project and Project Release (a GSoC project)?

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

@Pasqualle Drupal.org is going to migrate to Drupal 9, but the Activity module used from the patch in #1245352: Activity integration for Project and Project Release (a GSoC project) hasn't been updated since 2018, and it's not compatible with Drupal 9. (That task has been also opened for Drupal 6.)

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

I didn't get any reply from the user, so far.

Today, I have been added as co-maintainer for 5 different projects, for which I didn't offer to co-maintain them. I probably checked issues opened by other users, in my role of project moderator. I contacted the project owner saying I didn't ask for that, but I added back as co-maintainer (and I removed myself).
This just show how users can be mistakenly added as co-maintainers/maintainers.

In this case, the user started to commit code, which makes me think the user probably expected to be added as maintainer/co-maintainer.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

I also contacted all the maintainers, asking them if they added nitesh624 as co-maintainer/maintainer.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

I got a reply from 3 maintainers. They said they didn't add him as maintainer.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

I haven't gotten replies from other users.

cweagans’s picture

cweagans
He/Him
Primary language English
Location Boise, ID, USA
commented

Just following up here -- is there anything that I can do to help with this? And/or is it even worth digging into further?

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Active » Fixed

I guess we can close this, as all the users have been contacted.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.