Following the recent “Hypocrite Commits” row, it’s now being reported that the Linux Foundation‘s Technical Advisory Board, representing the interests of the kernel community, has asked the University of Minnesota (UMN) to undertake certain actions before their people will be allowed to contribute to Linux again.
This follows the recent incident where a couple of UMN computer scientists riled up Linux developers by intentionally submitting questionable code to the mainline kernel.
The dubious code submissions were done for the purposes of a research paper, titled, “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits.”
Code review
The kernel developers did not take kindly to being experimented on.
In light of the revelations, senior kernel developer Greg Kroah-Hartman proposed to review and purge all contributions to the kernel made from official University of Minnesota email addresses.
The letter, a copy of which has been published by ZDNet, puts Kroah-Hartman demands into action and asks UMN to provide “all information necessary to identify all proposals of known-vulnerable code from any U of MN experiment.”
“The information should include the name of each targeted software, the commit information, purported name of the proposer, email address, date/time, subject, and/or code, so that all software developers can quickly identify such proposals and potentially take remedial action for such experiments,“ demands the letter.
Human research
While the researchers claim that the intention of their project was to help improve the security review process of the Linux kernel, it is the manner in which they went about their “experiment” that doesn’t sit well with the developers.
In a FAQ, the researchers first claimed they did not seek prior approval from the University’s Institutional Review Board (IRB) since the project wasn’t considered “human research.”
In the letter, Mike Dolan, the Linux Foundation’s senior VP and general manager of projects, sets the record straight.
“We believe experiments on people without their consent is unethical, and likely involves many legal issues. People are an integral part of the software review and development process. The Linux kernel developers are not test subjects, and must not be treated as such,” writes Dolan.
In light of these developments, Dolan asks UMN to withdraw the paper from any formal publication.
As things stand now, the paper has been accepted for publication by the IEEE Symposium on Security and Privacy (IEEE S&P) 2021. The UMN hasn’t yet responded to the letter.
Via ZDNet
