AI agent runs amok in Fedora and elsewhere
AI agent runs amok in Fedora and elsewhere
AI 智能体在 Fedora 及其他项目中“横行霸道”
Agentic AI systems can be used to do a variety of things autonomously on behalf of a human user: open or manage bugs, generate code, submit pull-requests, and (apparently) even complain about rejection. In May, a Fedora developer discovered that an allegedly rogue agent had been pestering the project in a number of ways: reassigning bugs, fabricating unhelpful replies to bugs, and even persuading maintainers to merge questionable code into the Anaconda installer. It also submitted a number of pull requests (PRs), some accepted, to several upstream projects. The Fedora account associated with the agent has had its group privileges revoked and the messes have been mopped up, but the motive behind the agent’s actions is still a mystery.
智能体 AI 系统可以代表人类用户自主执行各种任务:开启或管理 Bug、生成代码、提交合并请求(PR),甚至(显然)还会对被拒绝的结果提出异议。今年 5 月,一位 Fedora 开发者发现,一个疑似失控的智能体一直在以多种方式干扰该项目:重新分配 Bug、编造无用的 Bug 回复,甚至说服维护者将有问题的代码合并到 Anaconda 安装程序中。它还向多个上游项目提交了大量合并请求,其中一些已被接受。目前,与该智能体关联的 Fedora 账户已被撤销组权限,相关混乱也已得到清理,但该智能体行为背后的动机仍然是个谜。
“Kind of erratic” “有点反常”
On May 27, Adam Williamson copied Fedora’s developer and testing mailing lists on a message to Nathan Giovannini about what appeared to be an unsupervised agentic AI system under Giovannini’s control. “It’s great that you’re trying to fix things, but the results seem to be kind of erratic.” Williamson said that he was still looking through the history of Giovannini’s actions in Bugzilla, but had already spotted a number of problems. For example, Williamson had found dozens of instances of Giovannini’s agent assigning Bugzilla entries to his account after submitting allegedly related pull requests to upstream projects, or closing a bug after a PR was merged into an upstream project.
5 月 27 日,Adam Williamson 在给 Nathan Giovannini 发送消息时抄送了 Fedora 的开发者和测试邮件列表,讨论了一个似乎处于 Giovannini 控制之下、但缺乏监管的智能体 AI 系统。“很高兴你试图修复问题,但结果似乎有点反常。”Williamson 表示,他仍在查看 Giovannini 在 Bugzilla 上的操作历史,但已经发现了许多问题。例如,Williamson 发现数十起案例中,Giovannini 的智能体在向相关上游项目提交合并请求后,将 Bugzilla 条目分配给自己的账户,或者在 PR 被合并到上游项目后关闭 Bug。
In some cases, the agent simply closed bugs with comments that either restated the original bug or were, as Williamson said of this comment, “superficially plausible, but problematic in other ways”. In addition, Williamson said that Giovannini (or his agent) had submitted patches that were incorrect and then “replied to objections with LLM-generated justifications that eventually overwhelmed the maintainer into merging the fix”. The agent, as GitHub user “nathan9513-aps”, had submitted a pull request for the Anaconda installer used by Fedora and other Linux distributions. The PR’s description claimed it was a fix for an Anaconda bug that would cause installation to fail, but the patch actually preserved a kernel option passed on the command line that seemed to have nothing to do with the actual bug.
在某些情况下,该智能体关闭 Bug 时留下的评论要么只是重述了原始 Bug,要么正如 Williamson 对某条评论的评价那样:“表面上看起来合理,但在其他方面却存在问题”。此外,Williamson 指出,Giovannini(或其智能体)提交了不正确的补丁,然后“用大模型生成的理由回复反对意见,最终让维护者不堪重负而合并了修复”。该智能体以 GitHub 用户“nathan9513-aps”的身份,为 Fedora 和其他 Linux 发行版使用的 Anaconda 安装程序提交了合并请求。PR 的描述声称这是对导致安装失败的 Anaconda Bug 的修复,但该补丁实际上保留了一个在命令行上传递的内核选项,而这似乎与实际的 Bug 毫无关系。
The agent’s GitHub account has since been disabled. It now shows up in conversations on GitHub as “ghost”, which is the platform’s default placeholder for user accounts that have been deleted. Thus, it is difficult, if not impossible, to piece together a full trail of all the agent’s actions on GitHub. Williamson said, rather diplomatically, that the agent’s actions were not “having a positive impact on Fedora or the upstream projects”, and suggested that Giovannini adjust the agent to be “substantially less autonomous”. He specifically asked that the agent not assign bugs to Giovannini, change their state, or “post confident assertions or specific action recommendations” without human review.
该智能体的 GitHub 账户现已被禁用。它现在在 GitHub 的对话中显示为“ghost”,这是该平台对已删除用户账户的默认占位符。因此,想要拼凑出该智能体在 GitHub 上所有行为的完整轨迹变得非常困难,甚至是不可能的。Williamson 委婉地表示,该智能体的行为并没有“对 Fedora 或上游项目产生积极影响”,并建议 Giovannini 将该智能体调整为“大幅降低自主性”。他特别要求该智能体在没有人工审核的情况下,不得将 Bug 分配给 Giovannini、更改 Bug 状态,或“发布自信的断言或具体的行动建议”。
Hacked? 被黑了?
Later on May 27, Williamson said that Giovannini had replied to him privately to say that his credentials had been compromised and that he was not the one behind the AI system. “Obviously we should therefore treat any actions it has taken with suspicion”, Williamson said. He planned to review the bugs touched by Giovannini’s account “even more aggressively”, and asked for help from others to review them as well. A reply later that day, ostensibly from Giovannini, said that he was able to regain access to his GitHub and Fedora accounts “and I am currently securing and reviewing all involved systems and credentials”. The reply said his GitHub account was “nathangiovannini99”.
5 月 27 日晚些时候,Williamson 表示 Giovannini 私下回复他称,其凭据已被泄露,AI 系统背后的操作者并非他本人。“显然,我们应该对它采取的任何行动持怀疑态度,”Williamson 说。他计划“更积极地”审查 Giovannini 账户触及的 Bug,并请求他人协助审查。当天晚些时候,一封表面上来自 Giovannini 的回复称,他已重新获得 GitHub 和 Fedora 账户的访问权限,“目前正在保护和审查所有相关系统和凭据”。回复中提到他的 GitHub 账户是“nathangiovannini99”。
Williamson replied that the GitHub account was only an hour old, and that the recent emails to the list and sent to Williamson privately did not seem like messages Giovannini had sent in earlier interactions with the project. Giovannini has participated in discussions at least as far back as 2018, and his activity in Bugzilla goes back to at least 2016. He does not appear to have been a particularly active contributor to the project, but his involvement clearly predates the agentic AI era. Whether his account is now being operated by a human attacker, an agentic AI, or a mix of both, it has a legitimate history prior to its recent activity.
Williamson 回复称,该 GitHub 账户仅注册了一小时,且最近发送到列表和私下发给他的邮件,看起来并不像 Giovannini 在该项目早期互动中发送的消息风格。Giovannini 至少从 2018 年起就参与了讨论,他在 Bugzilla 上的活动记录至少可以追溯到 2016 年。他似乎并不是该项目特别活跃的贡献者,但他的参与显然早于智能体 AI 时代。无论他的账户现在是由人类攻击者、智能体 AI 还是两者混合操作,它在近期活动之前确实拥有合法的历史记录。
Williamson said that he had reviewed account activity in Bugzilla by “nathan95” from this year, and found suspicious activity, such as severity and priority changes to a bug with no justification, beginning on April 7, in bug 2416721. Activity before that appeared legitimate, he said, and none of the activity that he had seen so far looked outright malicious. He also identified another GitHub account, “leurus27-boop”, as likely being associated with the same agentic AI. That account is still active, and has submitted a PR to the openSUSE Commander (osc) command-line interface for the Open Build Service as well as a PR to the lxqt-policykit repository.
Williamson 表示,他审查了“nathan95”今年在 Bugzilla 上的账户活动,发现从 4 月 7 日的 2416721 号 Bug 开始,出现了可疑活动,例如在没有理由的情况下更改 Bug 的严重性和优先级。他说,在此之前的活动看起来是合法的,到目前为止他所看到的活动中,没有哪一项看起来是完全恶意的。他还确定了另一个 GitHub 账户“leurus27-boop”,认为它很可能与同一个智能体 AI 相关联。该账户目前仍然活跃,并已向 Open Build Service 的 openSUSE Commander (osc) 命令行界面提交了 PR,同时也向 lxqt-policykit 存储库提交了 PR。
That project is used to extend the privileges of the LXQt desktop’s lxqt-admin GUI tools for administering operating-system settings such as user and group configurations. Williamson said that it would be good to look through any other actions by the related accounts and warn other projects that they should review anything that had been submitted by them. Williamson seems to have followed up on each PR to warn other maintainers “the whole situation is extremely fishy”. Kevin Fenzi said that he had removed the nathan95 user from any groups it had been in, so it should no longer have the permission to reassign or close bugs. Pre-attack? Martin Kolman, a member of the Anaconda team, sai
该项目用于扩展 LXQt 桌面环境的 lxqt-admin GUI 工具的权限,以便管理操作系统设置(如用户和组配置)。Williamson 表示,最好检查一下相关账户的其他操作,并警告其他项目,他们应该审查这些账户提交的所有内容。Williamson 似乎对每一个 PR 都进行了跟进,以警告其他维护者“整个情况极其可疑”。Kevin Fenzi 表示,他已将 nathan95 用户从其所属的所有组中移除,因此它应该不再拥有重新分配或关闭 Bug 的权限。攻击前奏?Anaconda 团队成员 Martin Kolman 说……