[GTALUG] Linus Torvalds Responds to Linux Banning University of Minnesota

D. Hugh Redelmeier hugh at mimosa.com
Sun Apr 25 11:32:44 EDT 2021 

| From: Aruna Hewapathirane via talk <talk at gtalug.org>

Thanks for pointing this out.  (I used to subscribe to the LKML but it
just got too voluminous.)

| I am still trying to understand the reason 'why' would anyone even want to
| do this ?

The first question is "what, exactly, is 'this'?".

I've ONLY read media reports and their recent apology.  So I'm not the
most informed.
<https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u>

Some reactions.

The apology starts with:

  "We sincerely apologize for any harm our research group did to the
   Linux kernel community."

This common formulation rubs me the wrong way.  The word "any" means
that they are not actually admitting to there being harm.  If they had used
"the" or "all", I would interpret it as a genuine apology.

Later they seem more contrite.  But it is buried at the end of a
paragraph, near the end of the message>

  "We apologize unconditionally for what we now recognize was a breach of
   the shared trust in the open source community and seek forgiveness for
   our missteps."

I think that they may have done the communities a service.  This kind
of weakness injection has always been available to bad actors.  In
this case, it was an actor intending to do good.

- they don't think that they actually added a vulnerability

- they demonstrated how adding a vulnerability could be done

GKH appears to have over-reacted.  (I may be wrong: he's always seemed
like a rock-steady guy.)

He's reverting 190 commits that were not declared to be part of this
experiment.  It is claimed, in the apology, that those ones were done
in good faith.

I do find it odd that the "research" was done last August but that the
hoax was only revealed recently.

Looking more closely at a claim in the apology message:

* This work did not introduce vulnerabilities into the Linux code. The
  three incorrect patches were discussed and stopped during exchanges in
  a Linux message board, and never committed to the code. We reported
  the findings and our conclusions (excluding the incorrect patches) of
  the work to the Linux community before paper submission, collected
  their feedback, and included them in the paper.

What "message board"?  Do they mean the Linux Kernel Mailing List (not
a message board)?

What does "stopped" actually mean?  My understanding was that these
changes were actually committed.  Perhaps I'm wrong.


This is intriguing:

* We understand the desire of the community to gain access to and
  examine the three incorrect patches. Doing so would reveal the
  identity of members of the community who responded to these patches on
  the message board. Therefore, we are working to obtain their consent
  before revealing these patches.

So there *must* be more disclosure.  Until then, we cannot be
satisfied.

More information about the talk mailing list