Possibly unpopular opinion, but I feel like "only merge things after verifying they are valid" should maybe be the default policy of the most used piece of software in the world.
14
66
443
Conversation
Like, the Linux kernel maintainers are saying they can't tell if a patch is malicious so have to rely on the email address domain name.
Why are we focusing on the academics, this is a problem!
Quote Tweet
the whole "it's extremely difficult for us to verify that this kernel patch isn't malicious" business is a real indictment of C twitter.com/FiloSottile/st…
14
43
223
Replying to
Although the Linux maintainers were inexcusably rude, running a study with intentional deception without consent or even coordinating with someone at the project in advance is against every ounce of human subjects training that I've received
5
3
56
Replying to
I am not defending the academics but I don't rely on them to keep everything around me running and secure.
The maintainers' reaction is not rude, is concerning! It sounds like they rely on checking the evil bit to stop malicious patches.
What if HackingTeam has Gmail addresses?
5
1
23
Replying to
My read is that they're annoyed about having their time wasted intentionally, not that they are blocking the domain as a security precaution, but I might be misunderstanding
4
23
The researchers were submitting correct patches too. They say that in 3 cases, they submitted intentionally incorrect patches and then told the maintainers it was wrong and provided the correct patch instead.
They were seemingly doing useful work on the kernel for the most part.
1
2
Lots of these patches appear to be correct fixes for memory corruption, etc. and are going to be reverted due to loss of trust in the authors. In reply to Greg's post on Twitter, a kernel maintainer states a patch to the code they maintain was correct but it's being reverted.
2
1
My impression is that the kernel maintainers are angry they were embarrassed this way and are reverting all of the useful work that was done out of spite.
I don't think this study was fully ethical but I don't think they were being malicious and appeared to be trying to help.
They genuinely seemed to want to bring attention to a legitimate problem. Nothing stops someone truly malicious from doing the same thing without telling the maintainers they shouldn't take the patch after they respond. They demonstrated a real problem, ethical research or not.
1
Some patches seem correct, some seem pointless or wrong. I think reverting them and re-reviewing them with this new context is the right thing to do 🤷♂️
1
I think that can probably be stated for patches to the kernel in general. A lot of fixes for these kinds of issues are wrong or pointless. That's my experience with attempted fixes for static analysis diagnostics and compiler warnings in general. Doesn't mean it's malicious.
I don't think it's malicious. But the intransparency of the researchers along with the responses makes it a great deal worse. We still don't know which patches where part of the research, and that is a problem.
1
The research was unethical, but the problem goes far beyond that. Are they going to revert and review other similar patches which were not meaningfully understood, tested or reviewed? No, just these ones.
The process for accepting code does not counter bad actors well at all.
1
Show replies