9/23/2023 0 Comments Submitting to linux kernel![]() ![]() Greg KH then immediately calls bullshit on this, and then proceeds to ban the entire university from making commits. ![]() * One of the committers of these faulty patches, Aditya Pakki, writes a reply taking offense at the 'slander' and indicating that the commit was in good faith. That'll be a fun paper to write, no doubt. Our non-double-blind test of 1 FOSS maintenance group has produced the following result: We get banned and our entire university gets dragged through the muck 100% of the time". "We experimented on the linux kernel team to see what would happen. We do not know at this time what actions, exactly, Kroah-Hartman and the Linux Foundation require from the group and its university.The professor gets exactly what they want here, no? Until those actions are taken, we do not have anything further to discuss about this issue. Kroah-Hartman acknowledged the letter Sunday but was clearly less than impressed:Īs you know, the Linux Foundation and the Linux Foundation's Technical Advisory Board submitted a letter on Friday to your University outlining the specific actions which need to happen in order for your group, and your University, to be able to work to regain the trust of the Linux kernel community. As part of the project, we studied potential issues with the patching process of Linux, including causes of the issues and suggestions for addressing them. The "hypocrite commits" work was carried out in August 2020 it aimed to improve the security of the patching process in Linux. Our work was conducted with the best of intentions and is all about finding and fixing security vulnerabilities. We just want you to know that we would never intentionally hurt the Linux kernel community and never introduce security vulnerabilities. The nearly 800-word open letter comes across as more "wait, you don't understand" than apology: This Saturday, the UMN research team apologized to the Linux community via an open letter posted to the Linux Kernel Mailing List. The University of Minnesota Department of Computer Science and Engineering responded to the ban by immediately "suspend this line of research," promising to investigate the researchers' method-and the process by which it was approved. Kroah-Hartman went on to allow exceptions for such future patches if "they provide proof and you can verify it," but he went on to ask, "really, why waste your time doing that extra work?" Along with reverting these 68 existing patches, Kroah-Hartman announced a "default reject" policy for future patches coming from anyone with an address. Last week, in response to these "Hypocrite Commits," senior Linux kernel dev Greg Kroah-Hartman reverted 68 patches submitted by folks with umn.edu email addresses. Lu, Wu, and Pakki published their findings in February at the 42nd IEEE Symposium on Security and Privacy. Once the maintainers responded to the submitted patch, the UMN researchers pointed out the bug introduced by their patch and offered a "proper" patch-one that did not introduce a newly exploitable condition-in its place. The three researchers would then email their Trojan-horse patches to Linux kernel maintainers to see if the maintainers detected the more serious problem the researchers had introduced in the course of fixing a minor bug. These minor patches however introduce the missing conditions of the "immature vulnerabilities." The "immature vulnerabilities" are not real vulnerabilities because one condition (such as a use of a freed object) is still missing We construct three incorrect or incomplete minor patches to fix the three bugs. We employ a static-analysis tool to identify three "immature vulnerabilities" in Linux, and correspondingly detect three real minor bugs that are supposed to be fixed. The trio's scheme involved first finding three easy-to-fix, low-priority bugs in the Linux kernel and then fixing them-but fixing them in such a way as to complete what the UMN researchers called an "immature vulnerability": This policy change came as a result of three University of Minnesota researchers-Qiushi Wu, Kangjie Lu, and Aditya Pakki-embarking on a program to test the Linux kernel dev community's resistance to what the group called "Hypocrite Commits." Testing the Linux kernel community ![]() Last week, senior Linux kernel developer Greg Kroah-Hartman announced that all Linux patches coming from the University of Minnesota would be summarily rejected by default. DJRPhoto36 / Flickr reader comments 561 with ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |