University of Minnesota Linux "Hypocrite Commit" Researchers Publish Open Letter
The drama in kernel land this week was University of Minnesota being banned from Linux kernel development over research they previously carried out looking at "hypocrite commits" and the possibility of intentionally introducing vulnerabilities (such as use-after-free bugs) into the kernel source tree. This weekend those researchers involved published an open letter to the Linux kernel community.
Word of these university researchers having done a research paper on "hypocrite commits" and carried out their actions with seemingly little to no external oversight and having wasted upstream developer resources and potentially risked the kernel's security raised many concerns in the community.
In addition to "banning" University of Minnesota from contributing to the upstream kernel, Greg Kroah-Hartman planned to revert all umn.edu patches. However, so far that has yet to happen on the mainline tree. So far the vast majority of the University of Minnesota patches contributed to mainline over the years were found to be done in good faith.
Following this week's events, University of Minnesota leadership reported they have discontinued this line of research moving forward and investigating the matter. New this weekend is an open letter published by those involved.
The researchers offer their apologies to the community for any harm and the lack of communicating their study or permission from Linux stakeholders to do so. The letter noted, "we now understand that it was hurtful to the
community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission."
The letter went on to reaffirm the other UMN.edu patches are in good faith, "All the other 190 patches being reverted and re-evaluated were submitted as part of other projects and as a service to the community; they are not related to the “hypocrite commits” paper. These 190 patches were in response to real bugs in the code and all correct--as far as we can discern--when we submitted them."
The public letter ends with, "While this issue has been painful for us as well, and we are genuinely sorry for the extra work that the Linux kernel community has undertaken, we have learned some important lessons about research with the open source community from this incident. We can and will do better, and we believe we have much to contribute in the future, and will work hard to regain your trust."
The open letter in full can be read on the kernel mailing list.
Word of these university researchers having done a research paper on "hypocrite commits" and carried out their actions with seemingly little to no external oversight and having wasted upstream developer resources and potentially risked the kernel's security raised many concerns in the community.
In addition to "banning" University of Minnesota from contributing to the upstream kernel, Greg Kroah-Hartman planned to revert all umn.edu patches. However, so far that has yet to happen on the mainline tree. So far the vast majority of the University of Minnesota patches contributed to mainline over the years were found to be done in good faith.
Following this week's events, University of Minnesota leadership reported they have discontinued this line of research moving forward and investigating the matter. New this weekend is an open letter published by those involved.
The researchers offer their apologies to the community for any harm and the lack of communicating their study or permission from Linux stakeholders to do so. The letter noted, "we now understand that it was hurtful to the
community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission."
The letter went on to reaffirm the other UMN.edu patches are in good faith, "All the other 190 patches being reverted and re-evaluated were submitted as part of other projects and as a service to the community; they are not related to the “hypocrite commits” paper. These 190 patches were in response to real bugs in the code and all correct--as far as we can discern--when we submitted them."
The public letter ends with, "While this issue has been painful for us as well, and we are genuinely sorry for the extra work that the Linux kernel community has undertaken, we have learned some important lessons about research with the open source community from this incident. We can and will do better, and we believe we have much to contribute in the future, and will work hard to regain your trust."
The open letter in full can be read on the kernel mailing list.
156 Comments