On Sun, Apr 25, 2021, 12:07 PM Karen Lewellen via talk <[email protected]> wrote:
> I am not sure I resonate. > why banning an entire university program for the actions of two students? > Its like saying because one doctor abused his duties, we will not let > anyone seek care from St. Michael's hospital ever again. > Rephrasing. If you knew about a doctor abusing patients at a hospital and getting away with it, would you trust the hospital for your care or find another one? Well there is a doctor at that hospital who has given you excellent care in the past ( trust factor). So maybe you go to them then. It is the same here. The University broke the trust factor. The IRB failed to do it's job. Dhaval Or for a more computer reference Cloudflare's deciding I am a threat > because I cannot solve their noninclusive captcha..they have a zero > tolerance policy too. > > > > On Sun, 25 Apr 2021, Ansar Mohammed via talk wrote: > > > I know some people may think this is an over-reaction. But FWIW, I agree > > with the Zero Tolerance approach. > > > > > > On Sun, Apr 25, 2021 at 12:08 PM Dhaval Giani via talk <[email protected]> > > wrote: > > > >> On Sun, Apr 25, 2021 at 8:32 AM D. Hugh Redelmeier via talk > >> <[email protected]> wrote: > >>> > >>> | From: Aruna Hewapathirane via talk <[email protected]> > >>> > >>> Thanks for pointing this out. (I used to subscribe to the LKML but it > >>> just got too voluminous.) > >>> > >>> | I am still trying to understand the reason 'why' would anyone even > >> want to > >>> | do this ? > >>> > >>> The first question is "what, exactly, is 'this'?". > >>> > >>> I've ONLY read media reports and their recent apology. So I'm not the > >>> most informed. > >>> < > >> > https://lore.kernel.org/lkml/cak8kejpuvlxmqp026jy7x5gzhu2yjlpu8sztzunxu2oxc70...@mail.gmail.com/T/#u > >>> > >>> > >>> Some reactions. > >>> > >>> The apology starts with: > >>> > >>> "We sincerely apologize for any harm our research group did to the > >>> Linux kernel community." > >>> > >>> This common formulation rubs me the wrong way. The word "any" means > >>> that they are not actually admitting to there being harm. If they had > >> used > >>> "the" or "all", I would interpret it as a genuine apology. > >>> > >>> Later they seem more contrite. But it is buried at the end of a > >>> paragraph, near the end of the message> > >>> > >>> "We apologize unconditionally for what we now recognize was a breach > of > >>> the shared trust in the open source community and seek forgiveness > for > >>> our missteps." > >>> > >>> I think that they may have done the communities a service. This kind > >>> of weakness injection has always been available to bad actors. In > >>> this case, it was an actor intending to do good. > >>> > >>> - they don't think that they actually added a vulnerability > >>> > >>> - they demonstrated how adding a vulnerability could be done > >>> > >>> GKH appears to have over-reacted. (I may be wrong: he's always seemed > >>> like a rock-steady guy.) > >>> > >> > >> As someone actually affected by these reverts :-). Greg KH did not > >> over react. These guys did not do the community a service. They did > >> add vulnerabilities (those have been reverted since) and they did not > >> tell us anything. I myself have left old code in the kernel when > >> trying to get rid of some of my stuff. And I was not trying to inject > >> a bug. They did not tell me anything I did not already know. It is > >> easy to get bugs into the kernel. Let me link to the paper and their > >> "contributions". > >> > >> > >> > https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf > >> -- > >> VIII A > >> By its nature, OSS openly encourages contributors. Com- mitters can > >> freely submit patches without liability. We believe that an effective > >> and immediate action would be to update the code of conduct of OSS, > >> such as adding a term like “by submitting the patch, I agree to not > >> intend to introduce bugs.” Only committers who agreed to it would be > >> allowed to go ahead to submit the patches. By introducing the > >> liability, the OSS would not only discourage malicious committers but > >> also raise the awareness of potential introduced bugs for benign > >> committers. > >> -- > >> This is a mitigation. Have contributors claim they are not introducing > >> bugs (at least intentionally). > >> > >> The rest of the mitigations are equally bizarre. They are not telling > >> us anything we don't know. There is nothing original in this work > >> (except for the human experimentation aspect of it.) > >> > >> Now let's talk about the negative impact. It is already hard enough to > >> contribute to the linux kernel. It is built on trust. They have > >> destroyed any trust we had in code coming from UMN. How do we know we > >> are not being experimented for research? Like Greg pointed out, it is > >> much easier for us to ignore all their stuff. I don't have enough > >> seconds in my minute to get my day job done. On top of that, any new > >> comer will have to face a much higher bar, making it even more > >> hostile. (I actually see it as a negative, because it is easier to > >> ignore the newcomer as opposed to doing the extra work. And generally > >> most newcomers with some work turn out to be darn good contributors.) > >> It will make it harder to look at non corporate contributions > >> seriously. > >> > >> And as far as UMN is concerned, this is not the first time they have > >> been involved in questionable experiments. The last time had much more > >> serious consequences. > >> https://en.wikipedia.org/wiki/Death_of_Dan_Markingson > >> > >> Dhaval > >> --- > >> Post to this mailing list [email protected] > >> Unsubscribe from this mailing list > >> https://gtalug.org/mailman/listinfo/talk > >> > >--- > Post to this mailing list [email protected] > Unsubscribe from this mailing list > https://gtalug.org/mailman/listinfo/talk >
--- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
