After causing their university expulsion from Linux development, researchers have apologized, but the community is not enough

After causing their university expulsion from Linux development, researchers have apologized, but the community is not enough

A few days ago we told you about a group of researchers from the University of Minnesota Sending malicious patches to the Linux kernel for use purposes. This line of research led to the loss of the entire university Linux exited development And this caused huge dissatisfaction among the community.

While university officials They are investigating how it happened And they say they take the situation very seriously, it was not until the weekend that the professor in charge of the project and its two researchers, They sent an email The Linux kernel apologizes for the damage done to their research on the mailing list. However, the answer he received is basically the same. Apologies are not enough.


How did we get here

To give a little context, the research in question was the work of a professor and a PhD student They wanted to test the feasibility of introducing vulnerabilities in open source software by introducing “hypocritical” patches..

To achieve this he clearly took advantage of the fact that he was part of a trusted institution that has been supporting the development of the Linux kernel for years. However, the changes they sent were revealed, and even after they were published The paper With its results, To prevent sending such patches, the stationary kernel branch maintainer was warned by Greg Croha-Hartmann.

answer The investigators were quite hostile and denied what they were doing all the time, which led to Croha-Hartmann being taken Stringent measures to expel the entire university for failing to stop this line of research Suspicious morality even after warning.

See also  Tips to avoid being a victim of social engineering

More work needs to be done to regain the trust of the community

Linux

Researchers sent in “an open letter to the Linux community” on April 24 he apologized The cause of his research for damage and Admitted that the method used was inappropriate.

However, he again confirmed that his work did not introduce weaknesses in the Linux code, and this was done only in August 2020, and the rest of the patches (190) which were sent in addition to the April 2021 patch. Were not part of his paper on “hypocritical change”.

Other kernel developers have said that there are some accepted patches Yes they introduce Security holes, and even some stagnant kernel trees would have been reached.

Croha-Hartmann again responded to the letter very clearly:

Thank you for your answer.

As you know, the Linux Foundation and the Linux Foundation Technical Advisory Council sent a letter to your university on Friday detailing those specific tasks, so that your group and your university can work to gain trust. Community. Linux kernel community.

Until those steps are taken, we have nothing more to discuss on this matter.

We do not know what those specific tasks are, but what is clear is that neither Croha-Hartman nor the community is satisfied with an apology, and has not even assigned a letter to reply directly to the allegations leveled at it. At the moment, the University of Michigan is still unnerved by the development of the Linux kernel, and they will have to do more work to change that situation.

See also  'Shoot' to steal neighbor's Wi-Fi password

LEAVE A REPLY

Please enter your comment!
Please enter your name here