On 2021-04-25 4:41 p.m., D. Hugh Redelmeier via talk wrote:
| From: Alvin Starr via talk <[email protected]>
| If the zdnet report is to be believed then There was at least one attempt to
| insert code after being found out and asked to stop.
|
|
https://www.zdnet.com/article/greg-kroah-hartman-bans-university-of-minnesota-from-linux-development-for-deliberately-buggy-patches/
See:
<https://lore.kernel.org/linux-nfs/[email protected]/>
I don't think that Steven J. Vaughan-Nichols' interpretation is
correct (it seems to be GKH's). If you look at the email exchange in
question, the "attempt to insert code" was an attempt to submit a real
bug-fix, not an attempt to add a bug. But:
- the fix was to a bug that didn't exist. Careful reading of the
surrounding code shows that the problem addressed could not happen.
- it is hard to understand leaks and non-leaks, so this submission
only shows that Pakki is not yet a good kernel programmer.
- it does not introduce a vulnerability
This is kind of getting into the weeds.
The offending paper that looks to describe what was done can be found at
https://github.com/QiushiWu/qiushiwu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
The paper appears to have been posted 3 months ago along with all the
other content in the site.
This would appear to predate the email thread where this all blew up.
On the other hand I am not sure how much to trust the github posting dates.
I think
https://davisjam.medium.com/ethical-conduct-in-cybersecurity-research-86d13b6b6eed
provides an eloquent description of the events and actions of most of
the actors involved.
--
Alvin Starr || land: (647)478-6285
Netvel Inc. || Cell: (416)806-0133
[email protected] ||
---
Post to this mailing list [email protected]
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
