After causing the expulsion of their university from Linux development, researchers have apologized, but the community is not enough




A few days ago we told you about how a group of researchers from the University of Minnesota was sending malicious patches to the Linux kernel on purpose to experiment. This line of research caused the entire university to be expelled from Linux development and also generated enormous discontent among the community.



Although the university authorities are investigating how this happened and say they take the situation very seriously, it was not until the weekend that the professor in charge of the project and two of its researchers, sent an email to the kernel mailing lists Linux apologizing for the damage their research caused. However, the answer they received is basically that apologies are not enough.



How we got here




Linux Malware




To give a bit of context, the research in question was the work of a professor and a PhD student who they wanted to test the feasibility of introducing vulnerabilities in open source software by submitting "hypocritical" patches.



To achieve this, they clearly took advantage of the fact that they were part of a trusted institution that has been collaborating with the development of the Linux kernel for years. However, the changes they sent were detected, and also, after publishing a paper with their results, were warned by Greg Kroah-Hartman, maintainer of the stable branch of the kernel, to stop sending such patches.







What motivates those who create new Linux distributions?






The investigators' responses were quite hostile and at all times they denied what they were doing, causing Kroah-Hartman to take the drastic measure of expelling the entire university for failing to stop this line of research of dubious ethics, even after the warnings.



More work must be done to regain the trust of the community




linux




In an "open letter to the Linux community" sent on April 24, the researchers apologized for the damage their research caused and admitted that the method used was inappropriate.



However, they again affirmed that their work did not introduce vulnerabilities in the Linux code, and that it was only carried out in August 2020, and that the rest of the patches (190) that were sent, in addition to the patches of April 2021 were not part of his paper on "hypocritical changes".



Other kernel developers have said that some of the accepted patches did introduce security holes, and even that some would have reached the stable kernel trees.



Kroah-Hartman responded to the letter again very bluntly:




Thanks for your reply.



As you know, the Linux Foundation and the Linux Foundation Technical Advisory Council sent a letter to your university on Friday detailing the specific actions that need to take place in order for your group, and your university, to be able to work to regain the trust of the community. Linux kernel community.



Until those steps are taken, we have nothing more to discuss on this matter.




We do not know what those specific actions are, but what is clear is that neither Kroah-Hartman nor the community is satisfied with an apology, and has not even dignified the letter to respond directly to the allegations made in it. At the moment, the University of Michigan is still expelled from the development of the Linux kernel, and they will have to work more to change that situation.