Possibly unpopular opinion, but I feel like "only merge things after verifying they are valid" should maybe be the default policy of the most used piece of software in the world.
14
66
443
Conversation
Like, the Linux kernel maintainers are saying they can't tell if a patch is malicious so have to rely on the email address domain name.
Why are we focusing on the academics, this is a problem!
Quote Tweet
the whole "it's extremely difficult for us to verify that this kernel patch isn't malicious" business is a real indictment of C twitter.com/FiloSottile/st…
14
43
223
Replying to
Although the Linux maintainers were inexcusably rude, running a study with intentional deception without consent or even coordinating with someone at the project in advance is against every ounce of human subjects training that I've received
5
3
56
Replying to
I am not defending the academics but I don't rely on them to keep everything around me running and secure.
The maintainers' reaction is not rude, is concerning! It sounds like they rely on checking the evil bit to stop malicious patches.
What if HackingTeam has Gmail addresses?
5
1
23
Replying to
My read is that they're annoyed about having their time wasted intentionally, not that they are blocking the domain as a security precaution, but I might be misunderstanding
4
23
The researchers were submitting correct patches too. They say that in 3 cases, they submitted intentionally incorrect patches and then told the maintainers it was wrong and provided the correct patch instead.
They were seemingly doing useful work on the kernel for the most part.
1
2
Lots of these patches appear to be correct fixes for memory corruption, etc. and are going to be reverted due to loss of trust in the authors. In reply to Greg's post on Twitter, a kernel maintainer states a patch to the code they maintain was correct but it's being reverted.
2
1
If they were polluting useful work with distrust, getting it reverted, and making maintainers who already reviewed it do double work trying to get the correct changes unreverted, then they were hardly doing useful work but rather sabotage.
2
2
It's rude, but demonstrating that the review process is flawed isn't malicious. They stated afterwards that the patch was flawed and provided a correct one.
I think they didn't properly consider how they could cause harm and should accept it was wrong but it was still useful.
3
1
I think it's pretty rude to trick someone without having gotten permission and then tell them they were tricked, which makes the reviewer look bad and makes the project look bad.
They proved something a lot of us take for granted, but many people claim this wouldn't be so easy.