If you’re confused why you can’t currently download Ubuntu 23.10 despite the fact it’s been released (and blogs like mine are telling you it’s out) there is a reason.
[From Twitter]: “We have identified hate speech from a malicious contributor in some of our translations submitted as part of a third party tool outside of the Ubuntu Archive. The Ubuntu 23.10 image has been taken down and a new version will be available once the correct translations have been restored.”
Now, I’m not 100% certain but from poking around the Ubuntu Desktop Installer GitHub — I know, I’m nosey — appears to have been (sadly) the Ukrainian translation file that was hijacked. I ran the text through a translator and …Honestly, I wish I hadn’t.
It’s a broad range of offensive sentences touching on politics, sexuality, and current events. Though shocking, none of it is particularly coherent in scope. It seems to be written to be provocative for provocations sake – the sort of stuff people post on X to farm likes from far-right bots.
Nobody is even slightly concerned that this made it to release? if they can shove in hate speech without anyone noticing, cant be much harder to slowly introduce a backdoor over several commits.
I would assume since it was a block of raw text in Ukrainian in a translation file, it would have passed more under the radar than something like a backdoor. I do not know how things are reviewed before being pushed to release though.
I’m sure more people know C or Python than Ukrainian at Canonical. It looks like this particular change has been authorized by a third-party localization project, though I’m not sure the whole process works.
Translations are not going to be analyzed as thoroughly as code, and this was still found quite quickly. Submitted code is analyzed much more thoroughly, often by multiple members or the project.
It is very concerning, absolutely. With that said, it’s entirely possible localization/translation reviews work differently than code reviews.
Not really, not only because of the language but also because the same scrutiny between code and content wouldn’t have to be the same. I also don’t expect core aspects of the distribution, e.g kernel, package manager, cryptography libraries, to be verified the same way than a random software, e.g Kdenlive. So… is it bad, absolutely. Does it mean everything should be questioned again? Probably not.
Well but they DID notice
Most translations are contributed by external users for languages that the project developers don’t speak themselves, so they can’t always check everything unless there’s multiple active translators for one language.
Ukrainian has enough speakers for there to be multiple translators, doesn’t it?
Clearly not enough active ones for each and every project out there.
But oPeN sOuRce iS sAfe.