On Sun, Apr 25, 2021 at 12:08 PM Dhaval Giani via talk <[email protected]> wrote:
> On Sun, Apr 25, 2021 at 8:32 AM D. Hugh Redelmeier via talk > <[email protected]> wrote: > > > > | From: Aruna Hewapathirane via talk <[email protected]> > > > > Thanks for pointing this out. (I used to subscribe to the LKML but it > > just got too voluminous.) > > > > | I am still trying to understand the reason 'why' would anyone even > want to > > | do this ? > > > > The first question is "what, exactly, is 'this'?". > > > > I've ONLY read media reports and their recent apology. So I'm not the > > most informed. > > < > https://lore.kernel.org/lkml/cak8kejpuvlxmqp026jy7x5gzhu2yjlpu8sztzunxu2oxc70...@mail.gmail.com/T/#u > > > > > > Some reactions. > > > > The apology starts with: > > > > "We sincerely apologize for any harm our research group did to the > > Linux kernel community." > > > > This common formulation rubs me the wrong way. The word "any" means > > that they are not actually admitting to there being harm. If they had > used > > "the" or "all", I would interpret it as a genuine apology. > > > > Later they seem more contrite. But it is buried at the end of a > > paragraph, near the end of the message> > > > > "We apologize unconditionally for what we now recognize was a breach of > > the shared trust in the open source community and seek forgiveness for > > our missteps." > > > > I think that they may have done the communities a service. This kind > > of weakness injection has always been available to bad actors. In > > this case, it was an actor intending to do good. > > > > - they don't think that they actually added a vulnerability > > > > - they demonstrated how adding a vulnerability could be done > > > > GKH appears to have over-reacted. (I may be wrong: he's always seemed > > like a rock-steady guy.) > > > > As someone actually affected by these reverts :-). Greg KH did not > over react. These guys did not do the community a service. They did > add vulnerabilities (those have been reverted since) and they did not > tell us anything. I myself have left old code in the kernel when > trying to get rid of some of my stuff. And I was not trying to inject > a bug. They did not tell me anything I did not already know. It is > easy to get bugs into the kernel. Let me link to the paper and their > "contributions". > > > https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf > -- > VIII A > By its nature, OSS openly encourages contributors. Com- mitters can > freely submit patches without liability. We believe that an effective > and immediate action would be to update the code of conduct of OSS, > such as adding a term like “by submitting the patch, I agree to not > intend to introduce bugs.” Only committers who agreed to it would be > allowed to go ahead to submit the patches. By introducing the > liability, the OSS would not only discourage malicious committers but > also raise the awareness of potential introduced bugs for benign > committers. > -- > This is a mitigation. Have contributors claim they are not introducing > bugs (at least intentionally). > > The rest of the mitigations are equally bizarre. They are not telling > us anything we don't know. There is nothing original in this work > (except for the human experimentation aspect of it.) > > Now let's talk about the negative impact. It is already hard enough to > contribute to the linux kernel. It is built on trust. They have > destroyed any trust we had in code coming from UMN. How do we know we > are not being experimented for research? Like Greg pointed out, it is > much easier for us to ignore all their stuff. I don't have enough > seconds in my minute to get my day job done. On top of that, any new > comer will have to face a much higher bar, making it even more > hostile. (I actually see it as a negative, because it is easier to > ignore the newcomer as opposed to doing the extra work. And generally > most newcomers with some work turn out to be darn good contributors.) > It will make it harder to look at non corporate contributions > seriously. > > And as far as UMN is concerned, this is not the first time they have > been involved in questionable experiments. The last time had much more > serious consequences. > https://en.wikipedia.org/wiki/Death_of_Dan_Markingson > > Dhaval > Speak of the devil and he appears :-) > Post to this mailing list [email protected] > Unsubscribe from this mailing list > https://gtalug.org/mailman/listinfo/talk >
--- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
