hautelook/AliceBundle is gone - what's going on & what now?

Question

Answer:

The repository was taken offline by the administrator. The maintainer (Theo Fidry) is locked out. The reason for taking the repository offline is currently unknown.

Head over to https://github.com/nelmio/alice/issues/1089 to get more info & possible workarounds.

Original question:

Something odd is happening to a well-known Symfony Framework bundle right now. I have no idea if there is a real-time channel I can ask about it, so I'm asking here, hoping somebody else noticed:

I just had an error in my CI/CD pipeline caused by Composer package - apparently the Github repository https://github.com/hautelook/AliceBundle was briefly either taken private, or removed.
About 10 minutes later, the repository re-appeared as https://github.com/theofidry/AliceBundle, this time as a fork of https://github.com/nowiko/AliceBundle

I've got screenshots, Google has some cache (compare https://webcache.googleusercontent.com/search?q=cache:V9Wz5RytGcsJ:https://github.com/hautelook/AliceBundle+&cd=1&hl=en&ct=clnk&gl=au&client=safari and https://github.com/hautelook/AliceBundle).

The big question here is: what's going on? Is this a possible supply chain attack in progress?

Some resources

Original repository state:

Forked repo with no releases, tags etc:

The pipeline error I got:

    Failed to download hautelook/alice-bundle from dist: The "https://api.github.com/repos/hautelook/AliceBundle/zipball/17c5199b2a6efbc1383b0afe1cddfa3c176b7b6f" file could not be downloaded (HTTP/2 404 )
    Now trying to download from source
  - Syncing hautelook/alice-bundle (2.9.0) into cache
                                                                                                              
  [RuntimeException]                                                                                          
  Failed to clone https://github.com/hautelook/AliceBundle.git via https, ssh protocols, aborting.            
                                                                                                              
  - https://github.com/hautelook/AliceBundle.git                                                              
    Cloning into bare repository '/root/.composer/cache/vcs/https---github.com-hautelook-AliceBundle.git'...  
    remote: Invalid username or password.                                                                     
    fatal: Authentication failed for 'https://github.com/hautelook/AliceBundle.git/'                          
                                                                                                              
  - git@github.com:hautelook/AliceBundle.git                                                                  
    Cloning into bare repository '/root/.composer/cache/vcs/https---github.com-hautelook-AliceBundle.git'...  
    error: cannot run ssh: No such file or directory                                                          
    fatal: unable to fork

If it helps I added version 2 on my github https://packagist.org/packages/benelori/alice-bundle — benelori, Sep 10 '21 at 06:34
I have trouble seeing what the *concretely answerable programming question* here is. Remember, in order to be on-topic, a question must be answerable *by the community* and there must be a single, canonical, objectively correct, answer. This looks like it fails at least the first test (it cannot be answered by the community, only by the people directly involved, at least one of which has already publicly stated they have no idea what's going on), and possible the second test as well (if this turns out to be an interpersonal issue, then there's no correct answer). — Jörg W Mittag, Sep 10 '21 at 14:52
related question: "how can I without being vulnerable to doing ?" — user253751, Sep 10 '21 at 15:18
The Twitter account you show in the screenshot isn't Theo's, as he's tfidry, not theofidry on Twitter. — Derick, Sep 11 '21 at 09:17
Thanks Derick, I removed the screenshot. I’m now not sure how did I land there, and you’re right. — Jan Klan, Sep 11 '21 at 23:53
Thanks Jörg. I believe the community may include people familiar with the matter, able to provide the correct answer. I rephrased the question and provided a suggested course of action to those finding the question. Considering the attention it received in the past few days, I assume it is impacting quite a lot of people - the package in question is essential to many PHP-based projects. I think it's a good thing new comments can't be added as there right place to discuss is the issue on Github now part of the original post. So thanks for the feedback, all of you. — Jan Klan, Sep 12 '21 at 22:44

score 12 · Accepted Answer · answered Sep 10 '21 at 08:07

12

As Théo Fidry, the maintainer of that package, recommends: his Github account holds an up-to-date fork which can be used by adding the following settings to composer.json:

    "repositories": [
        {
            "type": "vcs",
            "url": "https://github.com/theofidry/AliceBundle"
        }
    ],

answered Sep 10 '21 at 08:07

Nico Haase

11,420
35
43
69

1

This doesn't really answer the question, which is "What is going on?", not "What should I do?" (which would actually be on-topic). – Jörg W Mittag Sep 10 '21 at 14:54
1

@JörgWMittag Eh, "How can I resolve this?" might be on-topic, but asking for opinions (e.g. "what should I do?") definitely isn't. – TylerH Sep 10 '21 at 18:28
@JörgWMittag "what is going on" is pretty difficult to say: the packages vanished under their original name, and the long-time maintainer doesn't know why – Nico Haase Sep 11 '21 at 07:39

score 3 · Answer 2 · answered Sep 10 '21 at 08:04

This might not be a direct answer to your question but I hope it might help people having huge troubles in their CI pipeline as I had. What I did to solve the issue because the version uploaded by theofidry required PHP 7.3 at least (and my old app does not meet this requirement) was:

Go to your project folder in your local development
Copy the folder vendor/hautelook/alice-bundle somewhere
Run git init inside the copied folder
Create a git repository (e.g on github) and push the content
Back in your project, update your composer.json, change the version used for hautelook/alice-bundle to "dev-master" and add a vcs repository as specified below
Run composer update and you should be fine

Adapt url accordingly:

"repositories": [
    {
        "type": "vcs",
        "url": "git@github.com:YourRepository/AliceBundle"
    }
]

That solution would work only if you had already a version of AliceBundle somewhere

This doesn't really answer the question, which is "What is going on?", not "What should I do?" (which would actually be on-topic). — Jörg W Mittag, Sep 10 '21 at 14:54

hautelook/AliceBundle is gone - what's going on & what now?

2 Answers2