Here is your daily dose of WTF. Linux Kernel developer Greg Kroah-Hartman has called out "researchers" from the University of Minnesota and banned them from submitting code to the Linux Kernel.
This story is pretty wild and completely ridiculous. In the name of some apparent research and a written paper titled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits", the people involved have now been called out on "sending known-buggy patches to see how the kernel community would react to them".
Part of it goes further, as patches have continued to roll in after the paper was published so they are "continuing to experiment on the kernel community developers by sending such nonsense patches" with the patches not actually doing anything at all. Kroah-Hartman certainly wasn't holding back:
Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.
Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.
In a further post Kroah-Hartman sent in a patch to revert a bunch of changes done from the group, so they can go over them fully to ensure they're safe and actually do something.
From a certain point of view, it's nice to know that the Kernel team are good at picking up malicious code and attempts to introduce bugs - but doing this to such a huge important project, live and in the open in the name of research? That's just not right.
Update: so the plot thickens it seems! Sarah Jamie Lewis, the Executive Director of Open Privacy, pointed out on Twitter (be sure to read the thread) that they and others expressed concerns about it in 2020 in a co-signed letter to the IEEE S&P (IEEE Symposium on Security and Privacy). It really doesn't look good.
Update 2: Leadership in the University of Minnesota Department of Computer Science & Engineering department released a statement on Twitter, noting that it has suspended the research and will be looking into how it got approved in the first place.