Go Back   OC3D Forums > [OC3D] General Forums > OC3D News
Reply
 
Thread Tools Search this Thread Display Modes
 
  #1  
Old 23-04-21, 01:21 PM
WYP's Avatar
WYP WYP is offline
News Guru
 
Join Date: Dec 2010
Location: Northern Ireland
Posts: 20,105
Linux Foundation bans University after it intentionally submits "nonsense" patches

The Linux community won't be experimented with.



Read more about the University of Minnesota being banned from making Linux contributions.

__________________
_______________________________
Twitter - @WYP_PC
Reply With Quote
  #2  
Old 23-04-21, 01:38 PM
looz's Avatar
looz looz is offline
OC3D Elite
 
Join Date: Feb 2013
Location: Finland
Posts: 2,234
Honestly their hypothesis of contributing malicious code to open source projects and seeing if it sticks is worth exploring, but the way they behaved was incredibly poor. I think it's even likely that malicious patches have been merged to major open source projects.


Also:
> I respectfully ask you to cease and desist from making wild accusations
> that are bordering on slander.

LOL
__________________
i7 9900k - 16GB - 3080 XC3 Ultra - 660p 1TB + MX500 2TB - HE-4XX w/ Topping D30+A30
Reply With Quote
  #3  
Old 23-04-21, 01:57 PM
NeverBackDown NeverBackDown is offline
AMD Enthusiast
 
Join Date: Dec 2012
Posts: 17,721
I'm glad Linux as a whole put their foot down and made an example out of them. You could very easily make your own fork and try things yourself, not introduce experimemts to the production branch.
Reply With Quote
  #4  
Old 23-04-21, 01:58 PM
looz's Avatar
looz looz is offline
OC3D Elite
 
Join Date: Feb 2013
Location: Finland
Posts: 2,234
Quote:
Originally Posted by NeverBackDown View Post
You could very easily make your own fork and try things yourself, not introduce experimemts to the production branch.
That's irrelevant when it comes to researching supply chain attacks.
__________________
i7 9900k - 16GB - 3080 XC3 Ultra - 660p 1TB + MX500 2TB - HE-4XX w/ Topping D30+A30
Reply With Quote
  #5  
Old 23-04-21, 02:04 PM
WYP's Avatar
WYP WYP is offline
News Guru
 
Join Date: Dec 2010
Location: Northern Ireland
Posts: 20,105
Quote:
Originally Posted by looz View Post
Honestly their hypothesis of contributing malicious code to open source projects and seeing if it sticks is worth exploring, but the way they behaved was incredibly poor. I think it's even likely that malicious patches have been merged to major open source projects.


Also:
> I respectfully ask you to cease and desist from making wild accusations
> that are bordering on slander.

LOL
It is an interesting thing to explore. But from the other side, they are intentionally trying to ruin projects and are wasting the time and effort of developers.

If I were an open-source developer affected by that, I'd cut that group off and label them as a bunch of actively unhelpful idiots as well. While the research is worth exploring, they deserve what they got. IMHO
__________________
_______________________________
Twitter - @WYP_PC
Reply With Quote
  #6  
Old 23-04-21, 02:07 PM
looz's Avatar
looz looz is offline
OC3D Elite
 
Join Date: Feb 2013
Location: Finland
Posts: 2,234
Quote:
Originally Posted by WYP View Post
It is an interesting thing to explore. But from the other side, they are intentionally trying to ruin projects and are wasting the time and effort of developers.

If I were an open-source developer affected by that, I'd cut that group off and label them as a bunch of actively unhelpful idiots as well. While the research is worth exploring, they deserve what they got. IMHO
Yep, no questions about the decision to cut them off - completely warranted. And they're completely unreasonable, they should assist in fixing the mess they've created instead of calling it slander.

But the supply chain of something like the Linux kernel needs to be scrutinized, the fact that some of the garbage patches were mainlined is worrying.
__________________
i7 9900k - 16GB - 3080 XC3 Ultra - 660p 1TB + MX500 2TB - HE-4XX w/ Topping D30+A30
Reply With Quote
  #7  
Old 23-04-21, 02:37 PM
tgrech tgrech is offline
OC3D Elite
 
Join Date: Jun 2013
Location: UK
Posts: 2,239
Yeah while whoever this is has clearly not conducted themselves appropriately for the task at hand, with almost troll-like communication, if some of these patches have been mainlined then that is the much more worrying revelation here imo, it could have been someone with much more malicious intent, and much more desire to hide their actions, than whichever grad student(s) decided to pull this off, for all we know now it could have already happened with genuine malice many times before.
Reply With Quote
  #8  
Old 23-04-21, 02:37 PM
WYP's Avatar
WYP WYP is offline
News Guru
 
Join Date: Dec 2010
Location: Northern Ireland
Posts: 20,105
Quote:
Originally Posted by looz View Post
Yep, no questions about the decision to cut them off - completely warranted. And they're completely unreasonable, they should assist in fixing the mess they've created instead of calling it slander.

But the supply chain of something like the Linux kernel needs to be scrutinized, the fact that some of the garbage patches were mainlined is worrying.
I feel like that kind of research should be done with some project higher-ups knowing about it.

IE, you let up submit bad code and we will help you find errors in your mainlining process. I don't know how such a system would work, but something should have been in place so that that experiment couldn't mainline bad code and that the time spent on that code wasn't completely wasted.
__________________
_______________________________
Twitter - @WYP_PC
Reply With Quote
  #9  
Old 23-04-21, 02:39 PM
looz's Avatar
looz looz is offline
OC3D Elite
 
Join Date: Feb 2013
Location: Finland
Posts: 2,234
Quote:
Originally Posted by WYP View Post
I feel like that kind of research should be done with some project higher-ups knowing about it.

IE, you let up submit bad code and we will help you find errors in your mainlining process. I don't know how such a system would work, but something should have been in place so that that experiment couldn't mainline bad code and that the time spent on that code wasn't completely wasted.
I wouldn't be surprised if pentesting companies did that.

But in this case it's clear that fixing issues isn't the guy's motivation, instead he wanted a paper out of it and proceeded to be difficult to deal with.
__________________
i7 9900k - 16GB - 3080 XC3 Ultra - 660p 1TB + MX500 2TB - HE-4XX w/ Topping D30+A30
Reply With Quote
  #10  
Old 23-04-21, 02:41 PM
NeverBackDown NeverBackDown is offline
AMD Enthusiast
 
Join Date: Dec 2012
Posts: 17,721
Quote:
Originally Posted by WYP View Post
I feel like that kind of research should be done with some project higher-ups knowing about it.

IE, you let up submit bad code and we will help you find errors in your mainlining process. I don't know how such a system would work, but something should have been in place so that that experiment couldn't mainline bad code and that the time spent on that code wasn't completely wasted.
You can submit bad code to a non production branch and with the higher ups knowledge they can watch it and see how their developer's are working. If they catch it, submit it to production, etc. Then they can see where there development cycle has flaws whether it be human error or something else.

This way research can be done and everybody benefits.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump










All times are GMT. The time now is 06:16 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2021, vBulletin Solutions, Inc.