Linux Foundation bans University after it intentionally submits "nonsense" patches

WYP · #1 23-04-21, 01:21 PM

The Linux community won't be experimented with.

Read more about the University of Minnesota being banned from making Linux contributions.

looz · #2 23-04-21, 01:38 PM

Honestly their hypothesis of contributing malicious code to open source projects and seeing if it sticks is worth exploring, but the way they behaved was incredibly poor. I think it's even likely that malicious patches have been merged to major open source projects.

Also:
> I respectfully ask you to cease and desist from making wild accusations
> that are bordering on slander.
LOL

NeverBackDown · #3 23-04-21, 01:57 PM

I'm glad Linux as a whole put their foot down and made an example out of them. You could very easily make your own fork and try things yourself, not introduce experimemts to the production branch.

looz · #4 23-04-21, 01:58 PM

Quote:

Originally Posted by NeverBackDown

You could very easily make your own fork and try things yourself, not introduce experimemts to the production branch.

That's irrelevant when it comes to researching supply chain attacks.

WYP · #5 23-04-21, 02:04 PM

Quote:

Originally Posted by looz

Honestly their hypothesis of contributing malicious code to open source projects and seeing if it sticks is worth exploring, but the way they behaved was incredibly poor. I think it's even likely that malicious patches have been merged to major open source projects.

Also:
> I respectfully ask you to cease and desist from making wild accusations
> that are bordering on slander.
LOL

It is an interesting thing to explore. But from the other side, they are intentionally trying to ruin projects and are wasting the time and effort of developers.

If I were an open-source developer affected by that, I'd cut that group off and label them as a bunch of actively unhelpful idiots as well. While the research is worth exploring, they deserve what they got. IMHO

looz · #6 23-04-21, 02:07 PM

Quote:

Originally Posted by WYP

It is an interesting thing to explore. But from the other side, they are intentionally trying to ruin projects and are wasting the time and effort of developers.

If I were an open-source developer affected by that, I'd cut that group off and label them as a bunch of actively unhelpful idiots as well. While the research is worth exploring, they deserve what they got. IMHO

Yep, no questions about the decision to cut them off - completely warranted. And they're completely unreasonable, they should assist in fixing the mess they've created instead of calling it slander.

But the supply chain of something like the Linux kernel needs to be scrutinized, the fact that some of the garbage patches were mainlined is worrying.

tgrech · #7 23-04-21, 02:37 PM

Yeah while whoever this is has clearly not conducted themselves appropriately for the task at hand, with almost troll-like communication, if some of these patches have been mainlined then that is the much more worrying revelation here imo, it could have been someone with much more malicious intent, and much more desire to hide their actions, than whichever grad student(s) decided to pull this off, for all we know now it could have already happened with genuine malice many times before.

WYP · #8 23-04-21, 02:37 PM

Quote:

Originally Posted by looz

Yep, no questions about the decision to cut them off - completely warranted. And they're completely unreasonable, they should assist in fixing the mess they've created instead of calling it slander.

But the supply chain of something like the Linux kernel needs to be scrutinized, the fact that some of the garbage patches were mainlined is worrying.

I feel like that kind of research should be done with some project higher-ups knowing about it.

IE, you let up submit bad code and we will help you find errors in your mainlining process. I don't know how such a system would work, but something should have been in place so that that experiment couldn't mainline bad code and that the time spent on that code wasn't completely wasted.

looz · #9 23-04-21, 02:39 PM

Quote:

Originally Posted by WYP

I feel like that kind of research should be done with some project higher-ups knowing about it.

IE, you let up submit bad code and we will help you find errors in your mainlining process. I don't know how such a system would work, but something should have been in place so that that experiment couldn't mainline bad code and that the time spent on that code wasn't completely wasted.

I wouldn't be surprised if pentesting companies did that.

But in this case it's clear that fixing issues isn't the guy's motivation, instead he wanted a paper out of it and proceeded to be difficult to deal with.

NeverBackDown · #10 23-04-21, 02:41 PM

Quote:

Originally Posted by WYP

I feel like that kind of research should be done with some project higher-ups knowing about it.

IE, you let up submit bad code and we will help you find errors in your mainlining process. I don't know how such a system would work, but something should have been in place so that that experiment couldn't mainline bad code and that the time spent on that code wasn't completely wasted.

You can submit bad code to a non production branch and with the higher ups knowledge they can watch it and see how their developer's are working. If they catch it, submit it to production, etc. Then they can see where there development cycle has flaws whether it be human error or something else.

This way research can be done and everybody benefits.