[GTALUG] Linus Torvalds Responds to Linux Banning University of Minnesota
Karen Lewellen
klewellen at shellworld.net
Sun Apr 25 15:06:54 EDT 2021
I am not sure I resonate.
why banning an entire university program for the actions of two students?
Its like saying because one doctor abused his duties, we will not let
anyone seek care from St. Michael's hospital ever again.
Or for a more computer reference Cloudflare's deciding I am a threat
because I cannot solve their noninclusive captcha..they have a zero
tolerance policy too.
On Sun, 25 Apr 2021, Ansar Mohammed via talk wrote:
> I know some people may think this is an over-reaction. But FWIW, I agree
> with the Zero Tolerance approach.
>
>
> On Sun, Apr 25, 2021 at 12:08 PM Dhaval Giani via talk <talk at gtalug.org>
> wrote:
>
>> On Sun, Apr 25, 2021 at 8:32 AM D. Hugh Redelmeier via talk
>> <talk at gtalug.org> wrote:
>>>
>>> | From: Aruna Hewapathirane via talk <talk at gtalug.org>
>>>
>>> Thanks for pointing this out. (I used to subscribe to the LKML but it
>>> just got too voluminous.)
>>>
>>> | I am still trying to understand the reason 'why' would anyone even
>> want to
>>> | do this ?
>>>
>>> The first question is "what, exactly, is 'this'?".
>>>
>>> I've ONLY read media reports and their recent apology. So I'm not the
>>> most informed.
>>> <
>> https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u
>>>
>>>
>>> Some reactions.
>>>
>>> The apology starts with:
>>>
>>> "We sincerely apologize for any harm our research group did to the
>>> Linux kernel community."
>>>
>>> This common formulation rubs me the wrong way. The word "any" means
>>> that they are not actually admitting to there being harm. If they had
>> used
>>> "the" or "all", I would interpret it as a genuine apology.
>>>
>>> Later they seem more contrite. But it is buried at the end of a
>>> paragraph, near the end of the message>
>>>
>>> "We apologize unconditionally for what we now recognize was a breach of
>>> the shared trust in the open source community and seek forgiveness for
>>> our missteps."
>>>
>>> I think that they may have done the communities a service. This kind
>>> of weakness injection has always been available to bad actors. In
>>> this case, it was an actor intending to do good.
>>>
>>> - they don't think that they actually added a vulnerability
>>>
>>> - they demonstrated how adding a vulnerability could be done
>>>
>>> GKH appears to have over-reacted. (I may be wrong: he's always seemed
>>> like a rock-steady guy.)
>>>
>>
>> As someone actually affected by these reverts :-). Greg KH did not
>> over react. These guys did not do the community a service. They did
>> add vulnerabilities (those have been reverted since) and they did not
>> tell us anything. I myself have left old code in the kernel when
>> trying to get rid of some of my stuff. And I was not trying to inject
>> a bug. They did not tell me anything I did not already know. It is
>> easy to get bugs into the kernel. Let me link to the paper and their
>> "contributions".
>>
>>
>> https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
>> --
>> VIII A
>> By its nature, OSS openly encourages contributors. Com- mitters can
>> freely submit patches without liability. We believe that an effective
>> and immediate action would be to update the code of conduct of OSS,
>> such as adding a term like “by submitting the patch, I agree to not
>> intend to introduce bugs.” Only committers who agreed to it would be
>> allowed to go ahead to submit the patches. By introducing the
>> liability, the OSS would not only discourage malicious committers but
>> also raise the awareness of potential introduced bugs for benign
>> committers.
>> --
>> This is a mitigation. Have contributors claim they are not introducing
>> bugs (at least intentionally).
>>
>> The rest of the mitigations are equally bizarre. They are not telling
>> us anything we don't know. There is nothing original in this work
>> (except for the human experimentation aspect of it.)
>>
>> Now let's talk about the negative impact. It is already hard enough to
>> contribute to the linux kernel. It is built on trust. They have
>> destroyed any trust we had in code coming from UMN. How do we know we
>> are not being experimented for research? Like Greg pointed out, it is
>> much easier for us to ignore all their stuff. I don't have enough
>> seconds in my minute to get my day job done. On top of that, any new
>> comer will have to face a much higher bar, making it even more
>> hostile. (I actually see it as a negative, because it is easier to
>> ignore the newcomer as opposed to doing the extra work. And generally
>> most newcomers with some work turn out to be darn good contributors.)
>> It will make it harder to look at non corporate contributions
>> seriously.
>>
>> And as far as UMN is concerned, this is not the first time they have
>> been involved in questionable experiments. The last time had much more
>> serious consequences.
>> https://en.wikipedia.org/wiki/Death_of_Dan_Markingson
>>
>> Dhaval
>> ---
>> Post to this mailing list talk at gtalug.org
>> Unsubscribe from this mailing list
>> https://gtalug.org/mailman/listinfo/talk
>>
>
More information about the talk
mailing list