The entire University of Minnesota has been banned from Linux development because of the work of just two of its researchers. PhD student Qiushi Wu and assistant professor Kangjie Lu, they were sending malicious patches to the kernel as part of their own investigation.
The researchers published a paper entitled "On the Feasibility of Sneaking Vulnerabilities into Open Source Software Through Hypocritical Changes", in which they explain that how Linux is one of the most prominent examples of open source software, it is especially susceptible because "Anyone can help by submitting malicious little patches"that introduce vulnerabilities.
Linux developers don't have time for their experiments
What these researchers were trying to do is not unusual, what is unusual is that no one within the project was informed that this was happening. This line of research generated considerable discontent among developers who maintain the Linux kernel.And that's how Greg Kroah-Hartman, maintainer of the stable branch of the kernel and one of the most respected figures in the community, reached the limit of what he could tolerate.
On Linux mailing lists, Kroah-Hartman repeatedly warned members of the university to stop sending invalid patches:
Please stop submitting invalid patches. Your teacher is messing with the review process to get a paper in some weird and quirky way.
This is not right, it is a waste of time, and we will have to report this, AGAIN, to your university ...
This was not enough to cause them to give up, and in fact, they responded to Greg saying to stop making "wild accusations bordering on slander", further adding that "his attitude was not only unwelcome but intimidating to newbies."
For Kroah-Hartman, that was the last straw. The developer decided suspend all future collaborations from the university, and also eliminate all previous collaborations because "they were obviously sent in bad faith and with the intention of causing trouble."
Linux kernel developers do not like being experimented on, we have enough real work to do: https://t.co/vWvtxjt7A5- Greg KH (@gregkh) April 21, 2021
You, and your group, have publicly admitted that you submitted known bug patches to see how the kernel community would react to them, and posted an article based on that work.
Now you are resubmitting a new series of obviously incorrect patches, what am I supposed to think of something like that?
Our community welcomes developers who want to help and improve Linux. That is NOT what you are trying to do here, so please don't try to frame it that way.
Our community does not appreciate being experimented on, or "tested" by submitting known patches that do nothing on purpose or introduce bugs on purpose. If you want to do a job like this, I suggest you find another community to do your experiments, you are not welcome here.
The University of Minnesota, for its part, responded that they took the situation extremely seriously and that they would suspend that line of investigation immediately. They say they will investigate the process by which that research method was approved to take the necessary action.
Although the developers state in their work that none of the patches they sent made it to the code in the Linux repositories, Leon Romanovsky, another of the kernel developers, explained that after looking at four of the accepted patches from one of the researchers, three of them introduced several "security holes". Later, Sudip Mukherjee, Debian and kernel developer, said that "many of them have already reached stable trees."
The community largely side with Kroah-Hartman for the extremely dubious ethics of the experiment. Jered Floyd, who is part of the Red Hat team, commented On twitter than what the researchers did "It's worse than just experimenting; it's like saying you're a 'safety researcher' going to a supermarket and cutting the brake lines on all the cars to see how many people crash when they leave. Hugely little ethical".