It's like if my wife said "I'm taking the car to get it washed" and then she actually takes the car to the junkyard and sells it. "Ha, you got fooled!". I mean, yes, obviously. She's on the inside of my trust boundary and I don't want to live a life where I'm actually operating in a way immune to this 'exploit'.
I get that others object to the human experimentation part of things and so on, but for me that could be justified with a sufficiently high bar of utility. The problem is that this research is useless.
1. Prof and students make fake identities
2. They submit these secret vulns to Greg KH and friends
3. Some of these patches are accepted
4. They intervene at this point and reveal that the patches are malicious
5. The patches are then not merged
6. This news comes out and Greg KH applies big negative trust score to umn.edu
7. Some other student submits a buggy patch to Greg KH
8. Greg KH assumes that it is more research like this
9. Student calls it slander
10. Greg KH institutes policy for his tree that all umn.edu patches should be auto-rejected and begins reverts for all patches submitted in the past by such emails
To be honest, I can't imagine any other such outcome could have occurred. No one likes being cheated out of work that they did, especially when a lot of it is volunteer work. But I was wrong to say the research was useless. It does demonstrate that identities without provenance can get malicious code into the kernel.
Perhaps what we really need is a Social Credit Score for OSS ;)
> 4. They intervene at this point and reveal that the patches are malicious
> 5. The patches are then not merged
It's not clear to me that they revealed anything, just that they did fix the problems:
> In their paper, Lu and Wu claimed that none of their bugs had actually made it to the Linux kernel — in all of their test cases, they’d eventually pulled their bad patches and provided real ones. Kroah-Hartman, of the Linux Foundation, contests this — he told The Verge that one patch from the study did make it into repositories, though he notes it didn’t end up causing any harm.
(I'm only working from this article, though, so feel free to correct me)
[1] https://grants.nih.gov/policy-and-compliance/policy-topics/h...
But there is always the BSDs.
gnabgib•1h ago
jovial_cavalier•33m ago
Also, banning umn.edu email addresses didn't even make sense since the hypocrite commits were all from gmail addresses.
yjftsjthsd-h•15m ago
The blanket ban was kicked off by another incident after the hypocrite commit incident.