[GTALUG] Linus Torvalds Responds to Linux Banning University of Minnesota

Sun Apr 25 12:07:52 EDT 2021

On Sun, Apr 25, 2021 at 8:32 AM D. Hugh Redelmeier via talk
<talk at gtalug.org> wrote:
>
> | From: Aruna Hewapathirane via talk <talk at gtalug.org>
>
> Thanks for pointing this out.  (I used to subscribe to the LKML but it
> just got too voluminous.)
>
> | I am still trying to understand the reason 'why' would anyone even want to
> | do this ?
>
> The first question is "what, exactly, is 'this'?".
>
> I've ONLY read media reports and their recent apology.  So I'm not the
> most informed.
> <https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u>
>
> Some reactions.
>
> The apology starts with:
>
>   "We sincerely apologize for any harm our research group did to the
>    Linux kernel community."
>
> This common formulation rubs me the wrong way.  The word "any" means
> that they are not actually admitting to there being harm.  If they had used
> "the" or "all", I would interpret it as a genuine apology.
>
> Later they seem more contrite.  But it is buried at the end of a
> paragraph, near the end of the message>
>
>   "We apologize unconditionally for what we now recognize was a breach of
>    the shared trust in the open source community and seek forgiveness for
>    our missteps."
>
> I think that they may have done the communities a service.  This kind
> of weakness injection has always been available to bad actors.  In
> this case, it was an actor intending to do good.
>
> - they don't think that they actually added a vulnerability
>
> - they demonstrated how adding a vulnerability could be done
>
> GKH appears to have over-reacted.  (I may be wrong: he's always seemed
> like a rock-steady guy.)
>

As someone actually affected by these reverts :-). Greg KH did not
over react. These guys did not do the community a service. They did
add vulnerabilities (those have been reverted since) and they did not
tell us anything. I myself have left old code in the kernel when
trying to get rid of some of my stuff. And I was not trying to inject
a bug. They did not tell me anything I did not already know. It is
easy to get bugs into the kernel. Let me link to the paper and their
"contributions".

https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
--
VIII A
By its nature, OSS openly encourages contributors. Com- mitters can
freely submit patches without liability. We believe that an effective
and immediate action would be to update the code of conduct of OSS,
such as adding a term like “by submitting the patch, I agree to not
intend to introduce bugs.” Only committers who agreed to it would be
allowed to go ahead to submit the patches. By introducing the
liability, the OSS would not only discourage malicious committers but
also raise the awareness of potential introduced bugs for benign
committers.
--
This is a mitigation. Have contributors claim they are not introducing
bugs (at least intentionally).

The rest of the mitigations are equally bizarre. They are not telling
us anything we don't know. There is nothing original in this work
(except for the human experimentation aspect of it.)

Now let's talk about the negative impact. It is already hard enough to
contribute to the linux kernel. It is built on trust. They have
destroyed any trust we had in code coming from UMN. How do we know we
are not being experimented for research? Like Greg pointed out, it is
much easier for us to ignore all their stuff. I don't have enough
seconds in my minute to get my day job done. On top of that, any new
comer will have to face a much higher bar, making it even more
hostile. (I actually see it as a negative, because it is easier to
ignore the newcomer as opposed to doing the extra work. And generally
most newcomers with some work turn out to be darn good contributors.)
It will make it harder to look at non corporate contributions
seriously.

And as far as UMN is concerned, this is not the first time they have
been involved in questionable experiments. The last time had much more
serious consequences.
https://en.wikipedia.org/wiki/Death_of_Dan_Markingson

Dhaval