This post was updated on Oct 16, 2023 at 18:26 BST.
We are pleased to announce that, following an audit of all desktop installer translations, Ubuntu Desktop 23.10 is available for download from https://ubuntu.com/download/desktop
Updated builds for Ubuntu Budgie 23.10 and Ubuntu Desktop 23.10 Lenovo X13s Gen1 are also available.
Going forward we will be drafting new safeguards around translation moderation in Ubuntu Desktop. We will share the outcome of these discussions once they are refined.
This post was updated on Oct 13, 2023 at 16:50 BST.
Summary
A community contributor submitted offensive Ukrainian translations to a public, third party online service that we use to provide language support for the Ubuntu Desktop installer. Around three hours after the release of Ubuntu 23.10 this fact was brought to our attention and we immediately removed the affected images.
After completing initial triage, we believe that the incident only impacts translations presented to a user during installation through the Live CD environment (not an upgrade). During installation the translations are resident in memory only and are not propagated to the disk. If you have upgraded to Ubuntu Desktop 23.10 from a previous release, then you are not affected by this issue.
The impacted images were Ubuntu Desktop 23.10 and Ubuntu Budgie 23.10.
The Ubuntu Desktop Legacy ISO is still available and not affected.
Please keep in mind that translations are data files that support internationalisation of applications. These files are updated with the support of third-party online systems with contributions from individuals all around the world that then get integrated into Ubuntu. It’s unfortunate when that path of collaboration is undermined and used as a mechanism of social aggression. Canonical and Ubuntu do not condone hate speech or offensive language of any kind, as per our code of conduct.
FAQ
- Which versions are affected?
- Ubuntu Desktop 23.10
- Ubuntu Desktop 23.10 arm64 image for Lenovo X13s
- Ubuntu Budgie 23.10
- When will an updated Ubuntu Desktop 23.10 ISO be available?
- We expect a candidate daily image to be completed today with a new release image to follow early next week.
- In the meantime users can continue to install Ubuntu Desktop 23.10 using the legacy installer ISO available on our downloads page, which is unaffected by this issue.
- Is anything else impacted?
- Based on what we know today, only the
ubuntu-desktop-installerapplication was affected.
- What happens if I have already installed one of the affected images?
- The installer application only runs in the Live CD environment. Meaning that once you’ve installed and rebooted your system the application is no longer present.
- Am I affected by upgrading from a previous Ubuntu release?
- No, as the affected translations are only used during installation.
- Which repositories were affected and what should I do if I have the offensive content locally?
- The affected repositories are ubuntu desktop provision and ubuntu desktop installer. If you have cloned either of these we recommend you update your local branches by either re-cloning or resetting against origin/main.
- What should I do if I have concerns in the future?
- We are passionate about the security and quality of our products, at anytime if there is suspicion of malicious or foul play please reach out to security@canonical.com.
Original post published on 12 Oct 2023 at 11:17pm BST
Summary
Shortly after release we identified hate speech from a malicious contributor in a specific set of translations of the Ubuntu Desktop installer UI and have taken immediate action. These translations are being removed and an updated ISO will be available to download once we have replaced the offending material.
It is important to note that these translations are not part of the Ubuntu Archive and we believe the incident is contained only to translations provided via a third party translation tool we use for a subset of applications.
The affected images that have been removed are Ubuntu Desktop 23.10, Ubuntu Budgie 23.10 and the Ubuntu Desktop daily images.
We will update this post with further details on our investigation and when an updated desktop image will be available.
What happens if I have already installed one of the affected images?
We have reasonable assurance that this incident only affects a set of translations in the Desktop installer and we have no reason to believe your system and data have been compromised.
If you have upgraded to Ubuntu Desktop 23.10 from a previous release, then you should not be affected by this incident.