The Linux kernel community and the University of Minnesota (UMN) are under fire. Thanks to an ill-thought-out Linux security project, two UMN graduate students tried to intentionally insert buggy patches into Linux. Greg Croha-Hartman, the well-respected Linux kernel maintainer for the Linux stable branch, responded by banning not only him, but any UMN-connected developers from contributing to the Linux kernel. Now, UMN has addressed the concerns of the Linux kernel developer community. And, in a message Linux Kernel Mailing List (LKML), To Linux Foundation Technical Advisory Board (TAB) And volunteer Senior Linux kernel retainers and developers have reported on everything they found When he closely scrutinized UMN academics.
First things first: 435 commits coming from UMN-connected developers were re-reviewed. “The vast majority of the reviewed commits were found to be correct.” Of the rest, 39 commitments were incorrect and needed fixing; 25 was already decided later; 12 Now it does not matter; 9 were created before the convict research group came into existence and one commit was removed at the request of its author.
Five deliberately corrupt changes were presented to LKML. “These changes were introduced using two fake identities, which is against documented requirements for how to contribute code to the Linux kernel. The university has allowed researchers to use fake identities if they agree.”Certificate of origin, ‘A legal statement about the work being presented. “
However, contrary to what the researchers, QC Wu and Aditya Paki, and their graduate advisors, Kangji Lu, claimed to be an assistant professor in the UMN computer science and engineering department paper “On the feasibility of introducing stealth in open-source software via the Hypocrit Commit, “Aka” Hypocrite Commits “TAB, stated in clear detail that” all patch submissions that were invalid were caught or ignored by Linux kernel developers and maintainers. Our patch-review processes were intended when confronted with these malicious patches. “
Nevertheless, although no new attacks were found, the kernel developers felt that this was to be heavily reviewed. As Croha-Hartmann told me, “We absolutely should have.” This is because there was also a possibility, no matter how small, that the program intentionally placed corrupt code.
Meanwhile, UMN responded favorably to most requests from the Linux Foundation TAB. Later de UMN gave full disclosure to the Linux community about who and how to conduct the Hypocrite Commits project.
Looking ahead, the Linux community wants to work with UMN again if the school “improves the quality of the changes that are proposed to be included in the kernel.”
On Linux side, TAB members wrote: “TAB, working with researchers, explaining best practices for all research groups to follow when working with kernels (and open-source projects in general) Will create a document. “
Specifically, with UMN, since trust has been lost, TAB asks that UMN, as many companies and other research organizations do:
Designate a set of experienced internal developers to review proposed internal changes and provide feedback before those changes are publicly presented. This review captures obvious mistakes and considers the need to repeatedly remind developers of primary practices such as adherence to standards and thoroughly test standards. This is the result of a high-quality patch stream that will encounter fewer problems in the kernel community.
Until that is done, “patches from UMN will continue to find a chilly reception.”