Announcement

Collapse
No announcement yet.

University Banned From Contributing To Linux Kernel For Intentionally Inserting Bugs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • oiaohm
    replied
    Originally posted by pmorph View Post
    Lower risk, higher risk, similar risk. Anyway, I don't see what previously unknown results they hoped to find with the number of collected samples, which in this setting must be rather low. I think they weren't really interested in the quality of the linux patch submit process or its problems at all, they just needed whatever large enough project to test their ideas upon. In a word, exploit
    By there past paper they did not understand how Linux kernel developers would respond either. The never considered that getting caught would cause the Linux kernel maintainer to take action against the university instead of them as individuals. A lot of open source projects will not bother going after individuals when there is a bigger group to hit that can apply force to the individual.

    Submitting to the Linux kernel is a process of being vetted getting caught doing wrong things will have long term effects on peoples means to get employment.

    Leave a comment:


  • pmorph
    replied
    Originally posted by oiaohm View Post
    So no it does not follow that genuine bugs get in that you will be able to design a bug and insert it with lower risk of getting caught.
    Lower risk, higher risk, similar risk. Anyway, I don't see what previously unknown results they hoped to find with the number of collected samples, which in this setting must be rather low. I think they weren't really interested in the quality of the linux patch submit process or its problems at all, they just needed whatever large enough project to test their ideas upon. In a word, exploit

    Leave a comment:


  • oiaohm
    replied
    Originally posted by pmorph View Post
    We all know genuine bugs can slip in. Logically it follows that designed bugs can slip in as well. They could have just asked, if that much wasn't clear.
    There is a catch here. Genuine natural human screw ups turn out to be very hard to artificially replicate. Think pattern of a random event vs a non random. Designed bugs have non random behaviour to them.

    So no it does not follow that genuine bugs get in that you will be able to design a bug and insert it with lower risk of getting caught. The unnatural look of the code of someone attempting to design a bug to add in is going to make it more delectable and more likely maintainer will not see it as human error so be very annoyed.

    PS if you are submitting something tool generated to the Linux kernel mailing list you are meant to state that so that you don't end up banned because its not going to look like natural human generated code..
    Last edited by oiaohm; 23 April 2021, 01:38 PM.

    Leave a comment:


  • pmorph
    replied
    Originally posted by Sonadow View Post
    That something like this could happen show just how utterly broken and dysfunctional the existing system is with regards to the maintenance of the kernel, and the professor and his student exposed it for what it really is.
    We all know genuine bugs can slip in. Logically it follows that designed bugs can slip in as well. They could have just asked, if that much wasn't clear.

    Leave a comment:


  • oiaohm
    replied
    Originally posted by Sonadow View Post
    The kernel is an FOSS project. Anybody living in the world has the right to view the code and send patches or commits. It's the maintainers' job to make sure that the commits ar good and safe before merging them into the master branch.

    That something like this could happen show just how utterly broken and dysfunctional the existing system is with regards to the maintenance of the kernel, and the professor and his student exposed it for what it really is.
    No the Linux kernel is not a FOSS project by what you describe. The Linux kernel is the "Benevolent dictatorship" model this is important to beware of because this not the broad FOSS define. No where in Linux kernel documentation does it describe itself as FOSS project.

    https://www.kernel.org/doc/html/late...f-conduct.html
    Maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.

    The Linux kernel define of Contributor is important. Contributor is either a organisation or a individual. When you are a student at a University you are technically not a individual. As a student just like a employee /member of a any other organisation it your organisation responsibility to keep you in line or suffer the ban.

    So to make the Linux maintainers job simple for review that everyone from particular university/company/organisation is just 1 contributor. Remember this rule also makes universities/companies/organisations sanction their students/employees/members for miss behaviour in ways the Linux kernel maintainer cannot.

    When you or you organisation is a banned contributor by the code of conduct the kernel maintainers are not required to read your submits past that point at all. Wasting maintainers time with possible security flaw causing modifications is harmful.

    Remember I said the Linux kernel is "Benevolent dictatorship" this is basically a dictator who will kill you for doing the wrong things but may listen to you either. Yes a "Benevolent dictatorship" is allowed to work in very broad strokes to problems like this.

    They want wanted to see how the Linux kernel developers respond to parties insert flawed patches they are now seeing first hard. I guess its a bit of a surprise to them that the Linux kernel maintainer don't worry about individuals when there is a organisation that can punish the individual to target instead so forcing that organisation hand.

    Banning of complete organisations or company for bad code of individual is nothing new to the Linux kernel. The only thing that is new here is that this is the first university to get hit by it.

    There has been a critical failure to research Linux kernel history of response before going and poking it.

    Leave a comment:


  • ssokolow
    replied
    Originally posted by Sonadow View Post
    The kernel is an FOSS project. Anybody living in the world has the right to view the code and send patches or commits. It's the maintainers' job to make sure that the commits ar good and safe before merging them into the master branch.
    An open-source project is effectively a private venue, capable of banning people and enacting arbitrary rules within the limits of local anti-discrimination statutes.

    Nobody has a right to have their patches be considered, just like no magazine or newspaper has an obligation to consider your submission. Your right is to make a fork or patchset if you don't like how the project is being managed.

    Leave a comment:


  • Sonadow
    replied
    Originally posted by oiaohm View Post

    The world is not fair. Greg KH move here is not unprofessional. You have the original paper that put in 3 patches that had to be fixed up that was done in a unsafe way. Yes formal complaint was done over the first paper because it was unsafe. Now there are 200+ more patches from that university that are crap.

    University students are meant to have proper supervision. The Linux kernel due to how many critical things depend on the Linux kernel means its not a playground.

    Really how many more cases of bad supervision has to be let slide. Hard reality here a University as a whole is responsible for the actions of their students and is responsible to punish those students or refer them for criminal charges in cases like this. Until the university deals with the problem cutting them off is the correct action as this is the second time. First time formal complaint second time complete block is justified. Third time the legal departments of the companies supporting Linux will get involved.

    People wonder why there are not more attempts to put exploits in the Linux kernel anyone who has read what the response policy is will normally not do it particularly when you work out its a strike 3 is a few thousand multi nationals after your hide backed up by many governments. The progressively getting worse until you are bankrupt. Lot of ways intentionally adding an exploit to the Linux kernel is way more dangerous for you than working at Microsoft and adding an exploit intentionally to windows. Microsoft with windows will want to cover up to the public that it happened. Linux kernel since the source code is public the fact its happen is on the record now companies want their pound of flesh from next to you heart.
    You are just fibbing now.

    The kernel is an FOSS project. Anybody living in the world has the right to view the code and send patches or commits. It's the maintainers' job to make sure that the commits ar good and safe before merging them into the master branch.

    That something like this could happen show just how utterly broken and dysfunctional the existing system is with regards to the maintenance of the kernel, and the professor and his student exposed it for what it really is.

    Leave a comment:


  • oiaohm
    replied
    Originally posted by indepe View Post
    AFAIC reviews find that most of the patches from the general email domain are valid fixes, and a smaller number just useless, while the number of really problematic ones is much, much smaller than 200. Yet it seems to include one from one of the authors of the paper, and patches from his own student(s).
    With the risks full review is required. Its better lose a few hundred/thousand patches than have a few patches with intentional exploits.

    Leave a comment:


  • indepe
    replied
    AFAIC reviews find that most of the patches from the general email domain are valid fixes, and a smaller number just useless, while the number of really problematic ones is much, much smaller than 200. Yet it seems to include one from one of the authors of the paper, and patches from his own student(s).

    Leave a comment:


  • oiaohm
    replied
    Originally posted by sandy8925 View Post
    This is an immature and unprofessional move by Greg KH. Ban specific email addresses sure, but banning an entire University of students, professors and researchers is just idiotic.
    The world is not fair. Greg KH move here is not unprofessional. You have the original paper that put in 3 patches that had to be fixed up that was done in a unsafe way. Yes formal complaint was done over the first paper because it was unsafe. Now there are 200+ more patches from that university that are crap.

    University students are meant to have proper supervision. The Linux kernel due to how many critical things depend on the Linux kernel means its not a playground.

    The hard reality here is not Greg KH who should have block a University email account. Yes correct action in this case is really block the university and wait for the university final report that may be the student kicked out of their course or someone else punished for poor supervision. This will send a clear message Linux kernel is absolutely not a playground for experimental crap.

    Really how many more cases of bad supervision has to be let slide. Hard reality here a University as a whole is responsible for the actions of their students and is responsible to punish those students or refer them for criminal charges in cases like this. Until the university deals with the problem cutting them off is the correct action as this is the second time. First time formal complaint second time complete block is justified. Third time the legal departments of the companies supporting Linux will get involved.

    There is a form of a 3 strike rule here except each strike from the Linux Foundation/Linux Kernel gets harder each hit for organisations wishing to submit code..
    1) Warning to your organisation about dangerous coding behaviour.
    2) Ban of all submits by your organisation.
    3) Legal actions by the other organisations that work on the Linux kernel in good faith.

    sandy8925 why should the University got special treatment the first paper they got strike 1. They are now on strike 2. That 3 step policy of the Linux kernel has been in place for over 20 years. Linux kernel is not the place careless messing around.

    People wonder why there are not more attempts to put exploits in the Linux kernel anyone who has read what the response policy is will normally not do it particularly when you work out its a strike 3 is a few thousand multi nationals after your hide backed up by many governments. The progressively getting worse until you are bankrupt. Lot of ways intentionally adding an exploit to the Linux kernel is way more dangerous for you than working at Microsoft and adding an exploit intentionally to windows. Microsoft with windows will want to cover up to the public that it happened. Linux kernel since the source code is public the fact its happen is on the record now companies want their pound of flesh from next to you heart.
    Last edited by oiaohm; 22 April 2021, 06:02 PM.

    Leave a comment:

Working...
X