However there are a number of other angles from which to consider this, and I think Caleb was validly speaking to some of them. Some of these include:
- Should all commits by Wu & Lu be pulled?
- Should all UMinn commits be pulled?
- Should LKML be more careful about accusations?
Conversation
There are LKML posts upthread by a "Leon" and a "Greg" which accuse specific commits of being part of the Wu/Lu IEEESSP research based on either sharing Lu as an advisor or inspecting the commit and judging it of poor quality. So, maybe that particular connection is wrong.
1
1
But *from an incident response perspective, it is right*. That is, the actions Wu/Lu have admitted to indicate on the part of those 2 people a willingness to deceive and a certain degree of poor judgement. Their follow-up posts do not seem to me fully congruent with known facts.
1
2
So I think it is reasonable, if you're a kernel maintainer, to not take it as a given that we *do* know exactly what Wu and Lu did or did not do, and treat a much broader swath of commits as potentially undeclared parts of the IEEESSP research until demonstrated otherwise.
1
So like, if there are legitimate commits, or a legitimate though occasionally incorrect static analysis effort, that get their commits targeted— well it doesn't matter if those commits are good or bad! The point is LKML *can't judge* if they're good or bad
Quote Tweet
Replying to @11rcombs @eevee and @mcclure111
They're removing a ton of useful fixes because they can't easily distinguish them from the tiny subset of the commits that were intentionally wrong. It's not accurate that they've easily identified which ones are bad. They're removing many useful fixes resulting in adding bugs.
1
To the extent the Wu/Lu IEEESSP paper was a piece of legitimate blackhat security research, that is the *lesson* of the paper— that commits that are "hard to review" (large, obscure or claimed based on static analysis) can get in without LKML being able to judge their worth.
1
1
So let's say Aditya Pakki submits a good-faith but nonsense static analysis commit, & Greg KH rejects it because Lu is (actually is) Aditya's advisor and accuses it of being bad faith. Well, sure, Greg KH should retract that statement, since it's probably legally actionable libel
1
It's only a big fuss because they made the Linux kernel look like an amateurish project. They're only making it worse with this response. It has no shortage of use-after-free bugs, including publicly disclosed ones. Most of the ones found by fuzzing get reported but not fixed.
3
1
The research was done in an unethical way. However, that doesn't mean it wasn't useful. They demonstrated something concerning and important. Definitely not the right way to do it. Don't really see how it can be seen as malicious other than hurting the Linux kernel's reputation.
1
1
Malicious people can do exactly what was done in the study. They could be doing it right now. I could submit an email with a bogus patch from a random Gmail address too. They really shouldn't be experimenting on human subjects without their permission, but this is a real problem.
