04-26-2021, 12:10 PM
I know that this news is a bit old, 4 days ago, but I touches me at the core and I wanted to write about it.
If you didn't read it, don't worry I will provide a "offensive-less" summary of what the researchers of Minnesota tried to do.
On 21 April 2021 an email from Greg Kroah-Hartman announced his decision to ban University of Minnesota from the Linux development contributors and the revert their commits (= nullify all their code changes). The researchers tried to intentionally insert bugs in an unauthorised Penetration test to perform an experiement described on one of their scientific article... THEY COULD HAVE AFFECTED YOUR SECURITY.
These ***** researcher just used the trust of the open source community to just to perform a dangerous experiment to boost their own paper-career. It is disgusting.
We should thanks the numerous reviewers who protect us by inspecting the code.
I will stop here my personal summary because I could use a offensive tone, so I would just append the "polite" email from Greg Kroah-Hartman:
What do you think about it?
The open source community is always friendly and open minded to new and senior contributor, but these reseachers just decided on their own to do something so dangerous that could have been affected our daily usage devices.
If you didn't read it, don't worry I will provide a "offensive-less" summary of what the researchers of Minnesota tried to do.
On 21 April 2021 an email from Greg Kroah-Hartman announced his decision to ban University of Minnesota from the Linux development contributors and the revert their commits (= nullify all their code changes). The researchers tried to intentionally insert bugs in an unauthorised Penetration test to perform an experiement described on one of their scientific article... THEY COULD HAVE AFFECTED YOUR SECURITY.
These ***** researcher just used the trust of the open source community to just to perform a dangerous experiment to boost their own paper-career. It is disgusting.
We should thanks the numerous reviewers who protect us by inspecting the code.
I will stop here my personal summary because I could use a offensive tone, so I would just append the "polite" email from Greg Kroah-Hartman:
Code: (Select All)
I have been meaning to do this for a while, but recent events have
finally forced me to do so.
Commits from @umn.edu addresses have been found to be submitted in "bad
faith" to try to test the kernel community's ability to review "known
malicious" changes. The result of these submissions can be found in a
paper published at the 42nd IEEE Symposium on Security and Privacy
entitled, "Open Source Insecurity: Stealthily Introducing
Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University
of Minnesota) and Kangjie Lu (University of Minnesota).
Because of this, all submissions from this group must be reverted from
the kernel tree and will need to be re-reviewed again to determine if
they actually are a valid fix. Until that work is complete, remove this
change to ensure that no problems are being introduced into the
codebase.
This patchset has the "easy" reverts, there are 68 remaining ones that
need to be manually reviewed. Some of them are not able to be reverted
as they already have been reverted, or fixed up with follow-on patches
as they were determined to be invalid. Proof that these submissions
were almost universally wrong.
I will be working with some other kernel developers to determine if any
of these reverts were actually valid changes, were actually valid, and
if so, will resubmit them properly later. For now, it's better to be
safe.
I'll take this through my tree, so no need for any maintainer to worry
about this, but they should be aware that future submissions from anyone
with a umn.edu address should be by default-rejected unless otherwise
determined to actually be a valid fix (i.e. they provide proof and you
can verify it, but really, why waste your time doing that extra work?)
thanks,
greg k-h
What do you think about it?
The open source community is always friendly and open minded to new and senior contributor, but these reseachers just decided on their own to do something so dangerous that could have been affected our daily usage devices.