On Mon, 24 May 2021, SAIFI wrote:
On Mon, 24 May 2021, SAIFI wrote:
we posted this as a community update on 2021-04-21
CS folks from the Univ of Minnesota were trying to introduce
vulnerabilities into Linux kernel as part of a research study. The idea is
to send known-buggy patches to see how the kernel folks would react to
them.
On the feasibility of stealthily introducing vulnerabilities in Open
Source Software via Hypocrite commits
https://github.com/QiushiWu/qiushiwu.github.io/raw/main/papers/OpenSourceInsecurity.pdf
now it has taken 80 developers to revert the commits and fix the
vulnerabilities leading to kernel 5.13-RC3 release.
please see the 2021-05-20 commit log here
https://lore.kernel.org/lkml/[email protected]/
then a discussion thread
https://lore.kernel.org/lkml/cak8kejpuvlxmqp026jy7x5gzhu2yjlpu8sztzunxu2oxc70...@mail.gmail.com/T/#u
Giacomo Tesio in his reply makes the most useful and insightful remark
""
All the livor and drama that followed your research proves that
the Linux Foundation failed to learn the lessons of Heartbleed.
""
warm regards
Saifi.
