So I think it is reasonable, if you're a kernel maintainer, to not take it as a given that we *do* know exactly what Wu and Lu did or did not do, and treat a much broader swath of commits as potentially undeclared parts of the IEEESSP research until demonstrated otherwise.
Conversation
So like, if there are legitimate commits, or a legitimate though occasionally incorrect static analysis effort, that get their commits targeted— well it doesn't matter if those commits are good or bad! The point is LKML *can't judge* if they're good or bad
Quote Tweet
Replying to @11rcombs @eevee and @mcclure111
They're removing a ton of useful fixes because they can't easily distinguish them from the tiny subset of the commits that were intentionally wrong. It's not accurate that they've easily identified which ones are bad. They're removing many useful fixes resulting in adding bugs.
1
To the extent the Wu/Lu IEEESSP paper was a piece of legitimate blackhat security research, that is the *lesson* of the paper— that commits that are "hard to review" (large, obscure or claimed based on static analysis) can get in without LKML being able to judge their worth.
1
1
So let's say Aditya Pakki submits a good-faith but nonsense static analysis commit, & Greg KH rejects it because Lu is (actually is) Aditya's advisor and accuses it of being bad faith. Well, sure, Greg KH should retract that statement, since it's probably legally actionable libel
1
It's only a big fuss because they made the Linux kernel look like an amateurish project. They're only making it worse with this response. It has no shortage of use-after-free bugs, including publicly disclosed ones. Most of the ones found by fuzzing get reported but not fixed.
3
1
I watched a very interesting talk on exactly this the other day:
1
1
I think Greg KH is on the same page about this too. He's one of the kernel maintainers who acknowledges the scale of the problems and is very open and supportive of solutions. It *definitely* isn't the case for most of the core kernel maintainers though. It's not a consensus.
1
It seems like LKML is at a disadvantage here because they inherently perform their public communications in the open. Trying to suss out what is happening and form a response during a security incident with the whole world watching sounds hellish. I'm sure I'd make mistakes.
2
1
It's *also* the case that many LKML higher-ups seem to have poor attitudes and an unreasonable willingness to vent anger on the mailing list. But even a reasonable, level-headed person might mess up under circumstances such as these when limited to public internal messaging.
2
2
Greg KH generally has a great attitude though. He's extremely pissed about them submitting known bad patches and experimenting on them. I don't think this response makes sense. I think it does more harm than good and makes a bigger issue out of this than it really should be.