It's not a literal statement. It's an explanation of why this is a problem. Depending on trusting that everyone in the world won't do this is a problem. The study was unethical, not malicious. Plenty of people have malicious intent. Someone could do it simply as trolling...
Conversation
It's a problem because the kernel is really complicated code written in a really unsafe language.
Making the problem harder doesn't help anyone.
"It's possible to submit malicious code to open source projects" isn't a revelation by any metric.
1
1
It being possible to submit code is a lot different than it being possible to land malicious code.
The kernel being entirely written in a very unsafe language is part of the problem. That doesn't imply being able to so easily succeed in landing vulnerabilities in a project.
1
1
s/submit/land doesn't make it a revelation either. Of course open source is effectively build upon trust. And it's worth noting that the patches that most recently re-awakened this subject were actually "caught" pretty quickly.
1
Again, they didn't submit these patches from university email addresses and you're continuing to engage in slandering students not involved in it. That's unethical behavior too. Spreading misinformation as misdirection, especially attacking innocent people, is not okay.
2
Definitely not widely accepted that by using open source software, you inherently trust any random person able to submit code to a mailing list from Gmail.
Pretty big difference between trusting the developers of a project and trusting anyone able to submit patches to it.
2
1
I mean. What?
Yeah it is. No one sits and audits every line of code in ANY FOSS software they use, nor even the contributors list.
The top 5 contributors list here shows two major cohorts NOT from known institutions:
news.itsfoss.com/huawei-kernel-
2
I don't know why you're arguing with me and explaining something to me that I've made it pretty clear I believe myself. Many people do not believe that, even for the Linux kernel. I'm also not sure what people not submitting patches from company emails has to do with this at all.
1
1
I never said anything of the kind. I pointed out that the study submitted patches from Gmail addresses, not university email addresses, and that these efforts to fix static analysis findings by students are not part of the study. As with anyone else, some of their work is wrong.
2
Kernel developers have looked into the work being done and found that the vast majority was useful, correct and being done in good faith.
There's no evidence of those patches being part of the study, and I'm not sure what else people expect from static analysis findings...