If you’re confused why you can’t currently download Ubuntu 23.10 despite the fact it’s been released (and blogs like mine are telling you it’s out) there is a reason.

[From Twitter]: “We have identified hate speech from a malicious contributor in some of our translations submitted as part of a third party tool outside of the Ubuntu Archive. The Ubuntu 23.10 image has been taken down and a new version will be available once the correct translations have been restored.”

Now, I’m not 100% certain but from poking around the Ubuntu Desktop Installer GitHub — I know, I’m nosey — appears to have been (sadly) the Ukrainian translation file that was hijacked. I ran the text through a translator and …Honestly, I wish I hadn’t.

It’s a broad range of offensive sentences touching on politics, sexuality, and current events. Though shocking, none of it is particularly coherent in scope. It seems to be written to be provocative for provocations sake – the sort of stuff people post on X to farm likes from far-right bots.

  • quackers@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    76
    arrow-down
    14
    ·
    1 year ago

    Nobody is even slightly concerned that this made it to release? if they can shove in hate speech without anyone noticing, cant be much harder to slowly introduce a backdoor over several commits.

    • Hildegarde@lemmy.world
      link
      fedilink
      arrow-up
      68
      ·
      1 year ago

      Minecraft got in trouble when the Afrikaans translation had the n-word (in English) due to a malicious translator. CDPR had an issue with the Ukrainian translation making references to the ongoing war.

      This sort of thing happens somewhat frequently. It’s the same reason how fake sign language interpreters can hold positions. It’s hard to verify the accuracy of a translation in a language you don’t speak. They have to trust that the translator did their job right.

      Translations are usually just text strings. No reasonable project would allow translators to write code.

      • Azzu@lemm.ee
        link
        fedilink
        arrow-up
        14
        arrow-down
        2
        ·
        1 year ago

        I mean honestly though, if there are code reviews, how hard would it be to just make a quick “translation review”, putting the stuff through a translator program, and verifying it’s not obvious bullshit? Especially for new/unknown contributors. Of course it’s additional work, again, but a sanity check should easily be possible.

        • lloram239@feddit.de
          link
          fedilink
          arrow-up
          15
          ·
          edit-2
          1 year ago

          Quite hard. We had Open Source’ish LLMs for only around six months, if they are even up to the task of verifying a translation is another issue and if they are up to Debian’s Open Source guidelines yet another. This is obviously going to be the long term solution, but the tech for that has simply not been around for very long.

          And of course once you have translation tools good enough for the task, you might just skip the human translator altogether and just use machine translations.

          • Azzu@lemm.ee
            link
            fedilink
            arrow-up
            13
            arrow-down
            1
            ·
            edit-2
            1 year ago

            I more meant that if something contains “fucking kill all ukrainians and trans people”, which it sounds like this was something like that, that should be possible to see even with bad translation tools.

            • duncesplayed@lemmy.one
              link
              fedilink
              English
              arrow-up
              5
              ·
              1 year ago

              It wasn’t, by the way. Though it could have been flagged by the dumbest of online translators (or even anyone who could read Cyrillic, since some of it uses English loanwords, like “sex” and “gay”). It should never have made it in release, but I disagree with categorizing it as “hate speech”. I feel comfortable posting it here, even though it’s pretty crude and #3 in particular is very vulgar. If anyone’s curious, here are the Google Translate translations of the vandalized parts (except for one of them, fullInstallationSubtitle, which I think is too offensive to be repeated here. It references the Israel-Palestine war):

              Suck dicks in this {DISTRO}
              Your pants aren’t off yet
              .
              Classic gay sex
              Only the bare essentials, circumcised beards and Jewish pornography.
              Warning: This feature is not supported by your synagogue and cannot support updates to future versions of the Podor system. Please, take off your pants already.
              It’s not that difficult, just take and take off your pants
              Experimental encryption of the ancient Hebrew language
              Complete infection with syphilis
              Turn off RST, spread your buttocks, and continue
              Everything is a hook
              You left with your pin point
              Too much grease on the primary socket
              Leave unwashed
              The mount point should start with removing the pants "/"

              • Azzu@lemm.ee
                link
                fedilink
                arrow-up
                5
                ·
                1 year ago

                I mean yeah, I was speculating. But what you posted also seems easily detectable :D

              • Skelectus@suppo.fi
                link
                fedilink
                arrow-up
                5
                ·
                1 year ago

                That’s a lot of pant removal.

                But anyway, it should be quite possible to automatically screen the translation for something this blatant.

    • 2ncs@lemmy.world
      link
      fedilink
      arrow-up
      38
      ·
      1 year ago

      I would assume since it was a block of raw text in Ukrainian in a translation file, it would have passed more under the radar than something like a backdoor. I do not know how things are reviewed before being pushed to release though.

    • utopiah
      link
      fedilink
      arrow-up
      26
      ·
      1 year ago

      Not really, not only because of the language but also because the same scrutiny between code and content wouldn’t have to be the same. I also don’t expect core aspects of the distribution, e.g kernel, package manager, cryptography libraries, to be verified the same way than a random software, e.g Kdenlive. So… is it bad, absolutely. Does it mean everything should be questioned again? Probably not.

    • java@beehaw.org
      link
      fedilink
      arrow-up
      17
      ·
      edit-2
      1 year ago

      I’m sure more people know C or Python than Ukrainian at Canonical. It looks like this particular change has been authorized by a third-party localization project, though I’m not sure the whole process works.

    • priapus@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      Translations are not going to be analyzed as thoroughly as code, and this was still found quite quickly. Submitted code is analyzed much more thoroughly, often by multiple members or the project.

    • ipkpjersi
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      It is very concerning, absolutely. With that said, it’s entirely possible localization/translation reviews work differently than code reviews.

    • sim642@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Most translations are contributed by external users for languages that the project developers don’t speak themselves, so they can’t always check everything unless there’s multiple active translators for one language.

      • icedterminal@lemmy.world
        link
        fedilink
        English
        arrow-up
        19
        arrow-down
        2
        ·
        edit-2
        1 year ago

        Lol. You have to understand the context here. This is just translations. Actual code has many, many more eyes on it. An entire university was banned from submitting code to Linux, because of two dumbasses. They found and fixed genuine bugs. Built up lots of trust. Then violated that trust with actual use-after-free bugs submitted intentionally.

        The submitted “patches” to the development branch was to prove it’s easy to get exploits into high profile open source projects. They ultimately proved the contrary. Making their “research” bunk. The code they submitted never made it past the development testing phase.

        • Polar@lemmy.ca
          link
          fedilink
          arrow-up
          4
          arrow-down
          15
          ·
          1 year ago

          The context is that code made its way into shipped open source software.

          The type doesn’t matter. It proves that there can be slip ups.

          Move goal posts, though.