[GTALUG] Linus Torvalds Responds to Linux Banning University of Minnesota
Ansar Mohammed
ansarm at gmail.com
Sun Apr 25 12:45:59 EDT 2021
I know some people may think this is an over-reaction. But FWIW, I agree
with the Zero Tolerance approach.
On Sun, Apr 25, 2021 at 12:08 PM Dhaval Giani via talk <talk at gtalug.org>
wrote:
> On Sun, Apr 25, 2021 at 8:32 AM D. Hugh Redelmeier via talk
> <talk at gtalug.org> wrote:
> >
> > | From: Aruna Hewapathirane via talk <talk at gtalug.org>
> >
> > Thanks for pointing this out. (I used to subscribe to the LKML but it
> > just got too voluminous.)
> >
> > | I am still trying to understand the reason 'why' would anyone even
> want to
> > | do this ?
> >
> > The first question is "what, exactly, is 'this'?".
> >
> > I've ONLY read media reports and their recent apology. So I'm not the
> > most informed.
> > <
> https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u
> >
> >
> > Some reactions.
> >
> > The apology starts with:
> >
> > "We sincerely apologize for any harm our research group did to the
> > Linux kernel community."
> >
> > This common formulation rubs me the wrong way. The word "any" means
> > that they are not actually admitting to there being harm. If they had
> used
> > "the" or "all", I would interpret it as a genuine apology.
> >
> > Later they seem more contrite. But it is buried at the end of a
> > paragraph, near the end of the message>
> >
> > "We apologize unconditionally for what we now recognize was a breach of
> > the shared trust in the open source community and seek forgiveness for
> > our missteps."
> >
> > I think that they may have done the communities a service. This kind
> > of weakness injection has always been available to bad actors. In
> > this case, it was an actor intending to do good.
> >
> > - they don't think that they actually added a vulnerability
> >
> > - they demonstrated how adding a vulnerability could be done
> >
> > GKH appears to have over-reacted. (I may be wrong: he's always seemed
> > like a rock-steady guy.)
> >
>
> As someone actually affected by these reverts :-). Greg KH did not
> over react. These guys did not do the community a service. They did
> add vulnerabilities (those have been reverted since) and they did not
> tell us anything. I myself have left old code in the kernel when
> trying to get rid of some of my stuff. And I was not trying to inject
> a bug. They did not tell me anything I did not already know. It is
> easy to get bugs into the kernel. Let me link to the paper and their
> "contributions".
>
>
> https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
> --
> VIII A
> By its nature, OSS openly encourages contributors. Com- mitters can
> freely submit patches without liability. We believe that an effective
> and immediate action would be to update the code of conduct of OSS,
> such as adding a term like “by submitting the patch, I agree to not
> intend to introduce bugs.” Only committers who agreed to it would be
> allowed to go ahead to submit the patches. By introducing the
> liability, the OSS would not only discourage malicious committers but
> also raise the awareness of potential introduced bugs for benign
> committers.
> --
> This is a mitigation. Have contributors claim they are not introducing
> bugs (at least intentionally).
>
> The rest of the mitigations are equally bizarre. They are not telling
> us anything we don't know. There is nothing original in this work
> (except for the human experimentation aspect of it.)
>
> Now let's talk about the negative impact. It is already hard enough to
> contribute to the linux kernel. It is built on trust. They have
> destroyed any trust we had in code coming from UMN. How do we know we
> are not being experimented for research? Like Greg pointed out, it is
> much easier for us to ignore all their stuff. I don't have enough
> seconds in my minute to get my day job done. On top of that, any new
> comer will have to face a much higher bar, making it even more
> hostile. (I actually see it as a negative, because it is easier to
> ignore the newcomer as opposed to doing the extra work. And generally
> most newcomers with some work turn out to be darn good contributors.)
> It will make it harder to look at non corporate contributions
> seriously.
>
> And as far as UMN is concerned, this is not the first time they have
> been involved in questionable experiments. The last time had much more
> serious consequences.
> https://en.wikipedia.org/wiki/Death_of_Dan_Markingson
>
> Dhaval
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list
> https://gtalug.org/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20210425/489f632e/attachment.html>
More information about the talk
mailing list