but also to be clear, deliberately trying to sneak vulnerabilities into someone else's software without their knowledge is pretty fucked up, what
Conversation
Replying to
I feel like I would have been tricked by this regardless of the programming language literally just on the basis of the authority of "affiliated with the university of minnesota"
4
1
38
yeah this is mostly that they sent a bunch of patches claiming to be fixing issues found by static analysis tools, implying that they knew what they were doing, and coming from a reasonably trustworthy source
--> the patches got fairly little review
3
18
I've glanced through their paper and I don't see them accounting for or even mentioning the bias that would exist when you submit patches from a university Vs say, an individual account.
1
They didn't submit them that way. You're confusing the good faith patches that are being reverted from the university with the ones submitted from sockpuppet email addresses for the experiment using Gmail.
1
Are you sure? This patch doesn't seem to be very "good faith" (though it's possible I'm missing something here?).
lore.kernel.org/linux-nfs/YH5%
1
They've been regularly involved in submitting fixes based on static analysis. Not all of those patches are correct. Tools have many false positives and the students make mistakes. Do you have any evidence that this has to do with the study, which seemed to use gmail addresses?
2
I based my original reply in this thread, here someone claims that the patch set I linked above (from a uni email) is part of the paper : lore.kernel.org/linux-nfs/YH+z
You're right that they may be innocent patches, I've read a few threads about that since leaving my comment here...
2
in this case the patch doesn't line up with the description at all. It's hard to believe it's a good faith patch.
1
They're students trying to silence errors from static analysis. It's a reach to claim that it's not in good faith because it's clearly wrong. They aren't experienced Linux kernel or probably even C developers. Many of the fixes they've submitted are still useful and correct.
2
If the Linux kernel cannot cope with that because it's too hard to review C code and determine if it's introducing a vulnerability or fixing one, then that's a serious problem.
The study they did wasn't ethical but it wasn't malicious. They intended to stop the mistakes landing.
It's also completely wrong to frame it as if all the work done by the university was part of that small study.
They didn't submit a bunch of patches as part of it.
People are confusing the static analysis work with their attempt at demonstrating the review is flawed.
1
Kernel maintainers including Greg KH rightfully feel that the university did something seriously wrong and are upset about it.
They're retaliating by attacking the good faith work done by people there. A lot of the work is poorly done. A lot of it was also useful and correct.
1
Show replies