They've been regularly involved in submitting fixes based on static analysis. Not all of those patches are correct. Tools have many false positives and the students make mistakes. Do you have any evidence that this has to do with the study, which seemed to use gmail addresses?
Conversation
I based my original reply in this thread, here someone claims that the patch set I linked above (from a uni email) is part of the paper : lore.kernel.org/linux-nfs/YH+z
You're right that they may be innocent patches, I've read a few threads about that since leaving my comment here...
2
in this case the patch doesn't line up with the description at all. It's hard to believe it's a good faith patch.
1
They're students trying to silence errors from static analysis. It's a reach to claim that it's not in good faith because it's clearly wrong. They aren't experienced Linux kernel or probably even C developers. Many of the fixes they've submitted are still useful and correct.
2
Sure, you may well be correct here, however given the circumstances I think a certain level of cynicism is a good thing. You've jumped very quickly to fight this position which I never claimed to hold? My comment is based on 5 minutes of reading, nothing more.
1
It's naive to claim that all their patches are in good faith, e.g. this one, but then we get into arguing if it's justified to ban the university, and frankly I don't have a hat in that ring. I don't feel strongly either way.
1
So, maybe you shouldn't be making claims about whether someone was acting good faith based on 5 minutes of reading. Those are pretty serious accusations. The university acted unethically but so are certain kernel maintainers, and so are you right here.
2
You're accusing a student of maliciously submitting a patch without bothering to spend the time looking into the situation. See the problem?
What happens if someone malicious decides to start doing it instead of researchers with an unethical study not intended to cause harm?
1
I don't understand a number of your responses in this thread. It seems like you're taking statements as meaning much broader things than they do on a plain reading.
2
1
Here is a screenshot of a paper by two U of Minn students which specifically claims "As a proof of concept, we successfully introduce multiple exploitable use-after-free in the latest Linux kernel". Do you suggest the events described there did not happen?
Quote Tweet
To follow up on this. I co-signed a letter with a number of other researchers expressing concern to @IEEESSP regarding the ethics research of this research.
A letter from the authors of the study can now be found here: www-users.cs.umn.edu/~kjlu/papers/c
Show this thread
2
They didn't send the intentionally wrong patches from university email addresses. They list the patches and they were sent from Gmail addresses. I've looked at the threads where they send the incorrect patches and then question the maintainer accepting the patch from them.
These patches are much more recent (the paper is already on their GitHub, these wouldn't be included if they were malicious).
At any rate, neither of us will be able to produce any strong evidence, I suspect we will end up going in circles and waste both of our time.
1
Hopefully more information will become available and we can know for sure
In one case, they seem to have failed to create an incorrect patch. The maintainer decided they were wrong about it causing a use-after-free and applied it anyway.
Another patch never got a response and 3 of them were accepted but then rejected after they said it was incorrect.
1
So, I'm just trying to talk this out. There are a few things here:
Upthread I say "I feel like I would have been tricked by this... on the basis of the authority of 'affiliated with the university of minnesota'". This was an informal comment, it may well have been nonsense.
2
Show replies