However there are a number of other angles from which to consider this, and I think Caleb was validly speaking to some of them. Some of these include:
- Should all commits by Wu & Lu be pulled?
- Should all UMinn commits be pulled?
- Should LKML be more careful about accusations?
Conversation
There are LKML posts upthread by a "Leon" and a "Greg" which accuse specific commits of being part of the Wu/Lu IEEESSP research based on either sharing Lu as an advisor or inspecting the commit and judging it of poor quality. So, maybe that particular connection is wrong.
1
1
But *from an incident response perspective, it is right*. That is, the actions Wu/Lu have admitted to indicate on the part of those 2 people a willingness to deceive and a certain degree of poor judgement. Their follow-up posts do not seem to me fully congruent with known facts.
1
2
So I think it is reasonable, if you're a kernel maintainer, to not take it as a given that we *do* know exactly what Wu and Lu did or did not do, and treat a much broader swath of commits as potentially undeclared parts of the IEEESSP research until demonstrated otherwise.
1
So like, if there are legitimate commits, or a legitimate though occasionally incorrect static analysis effort, that get their commits targeted— well it doesn't matter if those commits are good or bad! The point is LKML *can't judge* if they're good or bad
Quote Tweet
Replying to @11rcombs @eevee and @mcclure111
They're removing a ton of useful fixes because they can't easily distinguish them from the tiny subset of the commits that were intentionally wrong. It's not accurate that they've easily identified which ones are bad. They're removing many useful fixes resulting in adding bugs.
1
To the extent the Wu/Lu IEEESSP paper was a piece of legitimate blackhat security research, that is the *lesson* of the paper— that commits that are "hard to review" (large, obscure or claimed based on static analysis) can get in without LKML being able to judge their worth.
1
1
So let's say Aditya Pakki submits a good-faith but nonsense static analysis commit, & Greg KH rejects it because Lu is (actually is) Aditya's advisor and accuses it of being bad faith. Well, sure, Greg KH should retract that statement, since it's probably legally actionable libel
1
It's only a big fuss because they made the Linux kernel look like an amateurish project. They're only making it worse with this response. It has no shortage of use-after-free bugs, including publicly disclosed ones. Most of the ones found by fuzzing get reported but not fixed.
3
1
I watched a very interesting talk on exactly this the other day:
1
1
I think Greg KH is on the same page about this too. He's one of the kernel maintainers who acknowledges the scale of the problems and is very open and supportive of solutions. It *definitely* isn't the case for most of the core kernel maintainers though. It's not a consensus.
It seems like LKML is at a disadvantage here because they inherently perform their public communications in the open. Trying to suss out what is happening and form a response during a security incident with the whole world watching sounds hellish. I'm sure I'd make mistakes.
2
1
It's *also* the case that many LKML higher-ups seem to have poor attitudes and an unreasonable willingness to vent anger on the mailing list. But even a reasonable, level-headed person might mess up under circumstances such as these when limited to public internal messaging.
2
2
Show replies