It's not a literal statement. It's an explanation of why this is a problem. Depending on trusting that everyone in the world won't do this is a problem. The study was unethical, not malicious. Plenty of people have malicious intent. Someone could do it simply as trolling...
Conversation
It's a problem because the kernel is really complicated code written in a really unsafe language.
Making the problem harder doesn't help anyone.
"It's possible to submit malicious code to open source projects" isn't a revelation by any metric.
1
1
It being possible to submit code is a lot different than it being possible to land malicious code.
The kernel being entirely written in a very unsafe language is part of the problem. That doesn't imply being able to so easily succeed in landing vulnerabilities in a project.
1
1
s/submit/land doesn't make it a revelation either. Of course open source is effectively build upon trust. And it's worth noting that the patches that most recently re-awakened this subject were actually "caught" pretty quickly.
1
Again, they didn't submit these patches from university email addresses and you're continuing to engage in slandering students not involved in it. That's unethical behavior too. Spreading misinformation as misdirection, especially attacking innocent people, is not okay.
2
Definitely not widely accepted that by using open source software, you inherently trust any random person able to submit code to a mailing list from Gmail.
Pretty big difference between trusting the developers of a project and trusting anyone able to submit patches to it.
2
1
I mean. What?
Yeah it is. No one sits and audits every line of code in ANY FOSS software they use, nor even the contributors list.
The top 5 contributors list here shows two major cohorts NOT from known institutions:
news.itsfoss.com/huawei-kernel-
2
You REALLY were somehow surprised by the revelation that tons of anonymous or near-anonymous contributors work on the Linux kernel?
REALLY?
GIF
read image description
ALT
1
1
You're simply continuing to make disingenuous arguments. I never said anything of the kind.
I'm well aware of the serious systemic security issues of the Linux kernel, which go way beyond an unsafe language and very lax code review. I really don't need you to explain it to me.
1
1
Why are you clutching pearls over the results of the UMN study, then?
1
Clutching pearls? What? I'm simply explaining that to many people, the findings of the study are far from obvious. It was obvious to me, and clearly to you, but it isn't to many people. Scientific studies demonstrating something some people think is obvious aren't useless.
A thing that's obvious to the bulk of people within a community and not obvious to people outside that community is obvious enough not to warrant and unethically administered study to publicizing it. Especially when the study inherently impedes the meaningful work being done.
1
The 4 or so patches they submitted as part of the study hardly wasted much time.
The vast majority of the time being wasted and the harm being done is because of kernel maintainers exaggerating what happened, spreading misinformation and attempting collective punishments for it.
2
Show replies
They could have found a way to do this kind of study in an ethical way, and I don't think it would be useless.
Some projects have stricter code review, safer languages / architectures, etc. Some don't take public patches (SQLite). It's not universally the same situation at all.
1
Sure, but those projects operate at a *vastly* different scale both in terms of contributers AND users, than does the linux kernel.
1
1
Show replies