On Sun, Apr 25, 2021 at 11:32 AM D. Hugh Redelmeier via talk < [email protected]> wrote:
> | From: Aruna Hewapathirane via talk <[email protected]> > > Thanks for pointing this out. (I used to subscribe to the LKML but it > just got too voluminous.) > Hello Hugh I never subscribed I just read it now and then :-) | I am still trying to understand the reason 'why' would anyone even want to > | do this ? > > The first question is "what, exactly, is 'this'?". > > I've ONLY read media reports and their recent apology. So I'm not the > most informed. > < > https://lore.kernel.org/lkml/cak8kejpuvlxmqp026jy7x5gzhu2yjlpu8sztzunxu2oxc70...@mail.gmail.com/T/#u > > > > Some reactions. > > The apology starts with: > > "We sincerely apologize for any harm our research group did to the > Linux kernel community." > > This common formulation rubs me the wrong way. The word "any" means > that they are not actually admitting to there being harm. If they had used > "the" or "all", I would interpret it as a genuine apology. > > Later they seem more contrite. But it is buried at the end of a > paragraph, near the end of the message> > > "We apologize unconditionally for what we now recognize was a breach of > the shared trust in the open source community and seek forgiveness for > our missteps." > > I think that they may have done the communities a service. This kind > of weakness injection has always been available to bad actors. In > this case, it was an actor intending to do good. > > - they don't think that they actually added a vulnerability > > - they demonstrated how adding a vulnerability could be done > > GKH appears to have over-reacted. (I may be wrong: he's always seemed > like a rock-steady guy.) > > He's reverting 190 commits that were not declared to be part of this > experiment. It is claimed, in the apology, that those ones were done > in good faith. > > I do find it odd that the "research" was done last August but that the > hoax was only revealed recently. > > Looking more closely at a claim in the apology message: > > * This work did not introduce vulnerabilities into the Linux code. The > three incorrect patches were discussed and stopped during exchanges in > a Linux message board, and never committed to the code. We reported > the findings and our conclusions (excluding the incorrect patches) of > the work to the Linux community before paper submission, collected > their feedback, and included them in the paper. > > What "message board"? Do they mean the Linux Kernel Mailing List (not > a message board)? > > What does "stopped" actually mean? My understanding was that these > changes were actually committed. Perhaps I'm wrong. > > > This is intriguing: > > * We understand the desire of the community to gain access to and > examine the three incorrect patches. Doing so would reveal the > identity of members of the community who responded to these patches on > the message board. Therefore, we are working to obtain their consent > before revealing these patches. > > So there *must* be more disclosure. Until then, we cannot be > satisfied. > I think the best person who is 'qualified' to answer these questions would be Dhaval ? As he has code in the kernel and is the current Software manager at Oracle. Aruna ( Am thinking what have I started now ... ) > --- > Post to this mailing list [email protected] > Unsubscribe from this mailing list > https://gtalug.org/mailman/listinfo/talk >
--- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
