Check out our Monthly Survey Page to see what our users are running.

Here is your daily dose of WTF. Linux Kernel developer Greg Kroah-Hartman has called out "researchers" from the University of Minnesota and banned them from submitting code to the Linux Kernel.

This story is pretty wild and completely ridiculous. In the name of some apparent research and a written paper titled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits", the people involved have now been called out on "sending known-buggy patches to see how the kernel community would react to them".

Part of it goes further, as patches have continued to roll in after the paper was published so they are "continuing to experiment on the kernel community developers by sending such nonsense patches" with the patches not actually doing anything at all. Kroah-Hartman certainly wasn't holding back:

Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.

Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.

In a further post Kroah-Hartman sent in a patch to revert a bunch of changes done from the group, so they can go over them fully to ensure they're safe and actually do something.

From a certain point of view, it's nice to know that the Kernel team are good at picking up malicious code and attempts to introduce bugs - but doing this to such a huge important project, live and in the open in the name of research? That's just not right.

Update: so the plot thickens it seems! Sarah Jamie Lewis, the Executive Director of Open Privacy, pointed out on Twitter (be sure to read the thread) that they and others expressed concerns about it in 2020 in a co-signed letter to the IEEE S&P (IEEE Symposium on Security and Privacy). It really doesn't look good.

Update 2: Leadership in the University of Minnesota Department of Computer Science & Engineering department released a statement on Twitter, noting that it has suspended the research and will be looking into how it got approved in the first place.

Article taken from GamingOnLinux.com.
Tags: Kernel, Meta
41 Likes , Who?
We do often include affiliate links to earn us some pennies. We are currently affiliated with GOG and Humble Store. See more here.
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
47 comments
Page: «2/5»
  Go to:

Mohandevir 21 Apr
Quoting: Alm888
Quoting: MohandevirSo, following that logic, we are better served with closed source proprietary code that got well know unpatched and exploited flaws for years... Yeah right!

Edit: Wondering who paid for this non-sense "research"? Could we follow the money, please?
What mind-bending yoga has made you to come to this conclusion? Since when prohibiting "scientific" rm -rf /* patches leads to "closed source proprietary code" propaganda?
There are other means of code audition/inspection/scrutiny than willful injection of malicious code into working industry-level software possibly managing critical infrastructure objects like hospitals, nuclear power plants, stock exchange servers or ship navigation systems.
It is all joy and games only until someone gets killed due to this kind of "research".

You are probably right it's probably just this:

Quoting: LoftyEveryday we step closer to the brink of idiocracy.

I tend to give too much credit to some people...

Edit: Still... What I don't understand is that the Minnesota University gave it a "Go!"? How come?!


Last edited by Mohandevir on 21 April 2021 at 6:11 pm UTC
TheSHEEEP 21 Apr
View PC info
  • Supporter Plus
Daily WTF worthy, indeed.
legal action should be taken the Linux kernel is in everything you're not only trying to endanger a technology but also could be said you are trying to endanger life even if they easily found it. the attempt of it is still a valid argument to take legal action.
redneckdrow 21 Apr
Good grief, now the script-kiddies are coming from actual accredited universities with ~49,000 students! Is this really what the world has come to? Lord, I hope not.

This should be added to UMN's Wikipedia page, it's egregious enough!
jens 21 Apr
  • Supporter
I hope those kids and especially their mentors at that university will never get again a food down in IT. I have really no understanding for this "supposed to be innocent" behavior.
Cyril 21 Apr
Just WTF. It's not funny, I can't see this as a serious work of research, it's just plain stupid.
What did they thought? That the Kernel is widely open to everyone who can write anything without verification?
#Facepalm
This is a pretty ridiculous way to test the Linux community, but also shows that the kernel devs need to stay top of their game... just imagine what could happen when (not if) malicious code does slip through the review process. (Reminds me a bit of the so-called "Grievance studies affair").
Liam Dawe 21 Apr
The plot thickens and it's not good on the side of the researchers: https://twitter.com/SarahJamieLewis/status/1384871385537908736

It was condemned ethically back in 2020, seems they didn't care enough.
wvstolzing 21 Apr
Another 'experiment' was conducted on PyPi earlier this year: https://www.theregister.com/2021/03/02/python_pypi_purges/ — not as spectacularly stupid & irresponsible as the one on kernel devs, though.
wvstolzing 21 Apr
Quoting: Liam DaweThe plot thickens and it's not good on the side of the researchers: https://twitter.com/SarahJamieLewis/status/1384871385537908736

It was condemned ethically back in 2020, seems they didn't care enough.

I don't understand all the details in that thread, but as someone in academia (in a field unrelated to CS), my heart sinks once again to see the lengths that people will go to, to churn out a few more papers, & inflate their CVs by a couple more lines.

Inventing clever ways to waste other people's time to advance one's career is a vital skill in today's academia.
While you're here, please consider supporting GamingOnLinux on:

Patreon, Liberapay or PayPal Donation.

We have no adverts, no paywalls, no timed exclusive articles. Just good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register

Or login with...
Sign in with Steam Sign in with Twitter Sign in with Google
Social logins require cookies to stay logged in.

Livestreams & Videos
Community Livestreams