Conversation

Replying to

Like, the Linux kernel maintainers are saying they can't tell if a patch is malicious so have to rely on the email address domain name. Why are we focusing on the academics, this is a problem!

Quote Tweet

the whole "it's extremely difficult for us to verify that this kernel patch isn't malicious" business is a real indictment of C twitter.com/FiloSottile/st…

223

Replying to

Although the Linux maintainers were inexcusably rude, running a study with intentional deception without consent or even coordinating with someone at the project in advance is against every ounce of human subjects training that I've received

Replying to

I am not defending the academics but I don't rely on them to keep everything around me running and secure. The maintainers' reaction is not rude, is concerning! It sounds like they rely on checking the evil bit to stop malicious patches. What if HackingTeam has Gmail addresses?

Replying to

My read is that they're annoyed about having their time wasted intentionally, not that they are blocking the domain as a security precaution, but I might be misunderstanding

Replying to

and

The researchers were submitting correct patches too. They say that in 3 cases, they submitted intentionally incorrect patches and then told the maintainers it was wrong and provided the correct patch instead. They were seemingly doing useful work on the kernel for the most part.

Replying to

and

Lots of these patches appear to be correct fixes for memory corruption, etc. and are going to be reverted due to loss of trust in the authors. In reply to Greg's post on Twitter, a kernel maintainer states a patch to the code they maintain was correct but it's being reverted.

Replying to

and

If they were polluting useful work with distrust, getting it reverted, and making maintainers who already reviewed it do double work trying to get the correct changes unreverted, then they were hardly doing useful work but rather sabotage.

Replying to

and

It's rude, but demonstrating that the review process is flawed isn't malicious. They stated afterwards that the patch was flawed and provided a correct one. I think they didn't properly consider how they could cause harm and should accept it was wrong but it was still useful.

Replying to

and

They're academics. They have strict rules about experimentation on human subjects that they're responsible for knowing and that they violated.

Replying to

and

I agree it's not ethical research. However, a random troll could do the same thing to make the Linux kernel developers look bad. Worse, someone could do it for malicious reasons without giving a warning that they patch was actually intentionally wrong.

Replying to

If it was done solely with the aim to improve the kernel rather than as academic research to write a paper, then that wouldn't apply. I think it's pretty rude to trick someone without their permission to do it but I don't equate that with demonstrating it to be unethical.

3:49 PM · Apr 21, 2021Twitter Web App